keep a strict password. Patches needs to be installed on all systems.

Turn on IPS, if not enabled.

Enable debug logging for the Net Logon service

http://support.microsoft.com/kb/109626

It will get you the source and also as pete suggested Enable IPS and Risk Tracer in Auto-protect options.

Enable Debug Login

Hello,

Yes, Many viruses (Downadup.B, for example) attempt to spread by enumerating network shares (including the ADMIN$ shares). They will try to establish a connection as an existing user by authenticating with a predetermined list of common passwords. These attempts are likely to fail, and that could result in Active Directory placing restrictions on the user account that made repeated failed attempts.

In instances where a network experiences widespread lockout and suspects a virus, being an administrator, you should examine their network's audit logs. What resources on the network is the account attempting to access?

Auditing is an important part of a network's security, though it is a feature of Windows and Active Directory rather than of a Symantec product. 

I found Microsoft Article on this Account Lockups:

Hi,

I would suggest involve Microsoft as well in this case.

If System is fully patched and you also think it's not virus issue, run SEP support tool just to make sure there are no suspicious files are present.

Here is the location of the Symantec Endpoint Protection Support Tool:

http://www.symantec.com/techsupp/home_homeoffice/products/sep/Sep_SupportTool.exe

In some cases it may happen that if you have done log in with admin credentials on any X computer in network and somebody is typing wrong password intentionally.

If possible rename your admin account and check.

Hi,

if you don't know what the error means, you should investigate on it with Microsoft.

Please, note that, in case of an infection, like Downadup, you see several Authentication Failure in the Domain Controller logs but you need to check the source field of those logs to know which machines the attempts come from. The infection is where the attack comes from i.e. where the log on attempts are made (by a malicious process), not where they are just logged, in the target of the attack.

Regards

Hi,

If the account gets locked out frequently on multiple computers and you suspect a virus then, you need to do a vulnerability asessment. It is quite possible that all Microsoft patches are installed. However, what about patches for toher softwares for example Adobe.

As suggested in the previous posts, I suggest to turn on IPS if it is not enabled.

Vulnerability assessment can be done in two ways, manual and automated. Manual requires special skills like reverse engineering which involves use of tools like disassembler and decompiler. One needs to have sound knowledge of assembly lauguage, shell coding, etc..

You can use automated tools to scan your network for vulnerabilities. You can scan for IP addresses and get granular to port numbers and protocols as well (TCP or UDP). These tools have updated information of vulnerabilities. Below are some tools. Nessus can be used for free for non commercial use.

IBM ISS: http://www.iss.net/

Nessus : http://www.tenable.com/products/nessus

Core Impact http://www.coresecurity.com/content/core-impact-ov...

SAINT http://www.saintcorporation.com/

SARA http://www-arc.com/sara/

I have used Nessus, it is quite simple tool.

Here are some sites that provide information of the latest vulnerabilities.

Common Vulnerability Database http://cve.mitre.org/

Security focus http://www.securityfocus.com/

DHS National Vulnerability Database http://nvd.nist.gov

United States Computer Emergency Readiness Team http://www.us-cert.gov/

Open Source Vulnerability Database http://osvdb.org/