SEP 11 security event id 599 on Domain Controller

Updated: 21 May 2010 | 39 comments

0 0 Votes

We are in the process of testing SEP 11 in our network we have 8 clients (All SEP Features installed) one dedicated SEPM (W2K3) test server, one domain controller and member server (Antivirus and Antispyware installed). All has been good with the test, the client rollout via the SEP Console, the SEP remote Console install. The one issue that we have had in our two week test besides that SEP decomposer LiveUpdate problem last week is that we are seeing these Failed Security Audits on our domain controller:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 599
Date:  2/25/2008
Time:  4:48:04 PM
User:  NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Unprotection of auditable protected data.
  Data Description:  CValidateComCaller
  Key Identifier:  921466af-0fa9-4321-8e94-eba34a0b7959
  Protected Data Flags: 0x0
  Protection Algorithms: 3DES-168 , SHA1-160
  Failure Reason:  0xD

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 600
Date:  2/25/2008
Time:  4:48:03 PM
User:  NT AUTHORITY\SYSTEM
Computer: DC1
Description:
A process was assigned a primary token.
Assigning Process Information:
  Process ID: 744
  Image File Name: C:\WINDOWS\system32\svchost.exe
  Primary User Name: DC1$
  Primary Domain: SCOPE
  Primary Logon ID: (0x0,0x3E7)
New Process Information:
  Process ID: 4604
  Image File Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
  Target User Name: DC1$
  Target Domain: SCOPE
  Target Logon ID: (0x0,0x3E7)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 592
Date:  2/25/2008
Time:  4:48:03 PM
User:  NT AUTHORITY\SYSTEM
Computer: DC1
Description:
A new process has been created:
  New Process ID: 4604
  Image File Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
  Creator Process ID: 744
  User Name: DC1$
  Domain:  SCOPE
  Logon ID:  (0x0,0x3E7)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

According to eventid 599 is for encrypted data. the server has no encrypted data and I verfied with Efsinfo. Obviously these errors are created when these processes are initiated. The LiveUpdate Policy is set as: "Use the default management server". Any input or help would be greatly appreciated!

Dennis

Discussion Filed Under:

Security, Endpoint Protection (AntiVirus) - 11.x

Comments RSS Feed

Comments

Feb

2008

0 Votes 0

Dennis Martinez

I am suprised the no one has commented on this problem. Before I spend hours on the phone with Symantec Support I wanted to see if anyone out there had the same issue. This must be some issolated issue in our network I guess. This is what I have done so far to try to pin point the problem. I created a container in our Symantec Group called Domain Controllers. I moved my domain controller to that container I stopped the inheritance of policies from parent on this container. I created a new LiveUpdate Policy "Domain Controller LiveUpdate Policy" that will make the client update from symantec live update server everyday at 12:00 pm with retry interveral every hour and allow the client to start LiveUpdate. This policy is only being applied to this Domain Controller container. I removed all other policies minus the "antivirus and antispyware" and the "Domain Controller LiveUpdate Policy" from this container. These are the only two polices being applied to this container. The event id 599 are logged when the client tries a LiveUpdate, I verified this by intiating a LiveUpdate on the client and it registers to Event ID 599 back-to-back:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 599
Date:  2/28/2008
Time:  8:39:26 AM
User:  NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Unprotection of auditable protected data.
  Data Description:  CValidateComCaller
  Key Identifier:  921466af-0fa9-4321-8e94-eba34a0b7959
  Protected Data Flags: 0x0
  Protection Algorithms: 3DES-168 , SHA1-160
  Failure Reason:  0xD

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Then leaving the client alone and have it set by the policy to Update from Symantec.com at 12:00 pm I would think I would get these errors only at this time. But, I still get these event id 599 register themselves and there are intermitten:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 599
Date:  2/28/2008
Time:  8:57:10 AM
User:  NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Unprotection of auditable protected data.
  Data Description:  CValidateComCaller
  Key Identifier:  921466af-0fa9-4321-8e94-eba34a0b7959
  Protected Data Flags: 0x0
  Protection Algorithms: 3DES-168 , SHA1-160
  Failure Reason:  0xD

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Please any help would great! We will not deploy until we get this resolved and unfortunate at this time I only have one domain controller to test. Our Second Domain Controller is our Symantec Antivirus Corporate Edition 10.1 server. I do not want to deploy SEP and mess up our network Antivirus!

Feb

2008

0 Votes 0

Dennis Martinez

I dcpromo'd a member server and installed SEP (Antivirus and Anitspyware only) addedd to the "Domain Controller" Container in SEP and I do not get these event 599 id. So that excludes the fact that it is a domain controller. This problem is isolated to this server only! I quite don't understand the errors point to encryption issues but we have no data that is encrypted on that server. I will call Symantec and post my fix if I ever get one incase someone else runs into the same problem.

Mar

2008

0 Votes 0

pula

I have the same problem on 2 workstations (out of 45).

The workstaions hav XP SP2 installed.

Error:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 599
Date:  2/28/2008
Time:  8:39:26 AM
User:  NT AUTHORITY\SYSTEM
Computer: ********
Description:
Unprotection of auditable protected data.
  Data Description:  CValidateComCaller
  Key Identifier:  921466af-0fa9-4321-8e94-eba34a0b7959
  Protected Data Flags: 0x0
  Protection Algorithms: 3DES-168 , SHA1-160
  Failure Reason:  0xD

I am sure that this error is not related to the DC, but I could not find anythig whicy would generate it.

Mar

2008

0 Votes 0

Dennis Martinez

I have symantec case# 311-855-662 opened as of Thursday the 29th. I have not heard from them since Friday, when they told me that they are working on my problem. I will have to call today and get some updated status on this issue. Also, I have determined that it is not DC problem since I have installed SEP (Antivirus and Antispyware only) on another DC and I had no issues. I looked up event 599 on eventid.com and the errors associate themselves to encrypted files. I searched the server using a tool called FindHiddenFiles, to search for encrypted files and found only password protected files (Qty of 5). I honestly do not believe that this error is associating itself with encrypted files. I spent an hour and half on the phone must of the time on wait, but I documented this forum on the case number. I have ran out of ideas to troubleshoot. You are having this issues on WinXP clients (2 of them), what kind of applications and services are you running on these clients. Maybe reconciling our systems we can find something ourselves. My system is a domain Controller that hold all the FSMO Roles and is the GC for our domain. It hosts: DNS, DHCP, Print Server, and is our File Server. Let me know what your Systems our hosting... Also, do you get events 592 and 600 before the event 599?

Mar

2008

0 Votes 0

Warlock

I too have a case open also under the same conditions. 290-943-473. There hasn't been any repsonse from them either. Looks like I need to follow up.

Mar

2008

0 Votes 0

Dennis Martinez

I had to run a utility that I had to download from symantec. Then I had to upload a 108MB zip file for them to anaylze. I have not heard from them yet I uploaded the information yesterday Morning. I will follow up with them this afternoon the utility was called: SymBatchSep 1.688.exe. It took about 3 hours to run on the server to collect the necessary data. We will proceed with the deployment of SEP to the rest of our Network nodes this week. I will surely keep an eye out for any of these errors. Please, if anyone has more input or has resolved this issue post it up! This is according to symantec is an issue that they have not experienced and cannot simulate on their test machines.

Mar

2008

0 Votes 0

Dennis Martinez

Just to keep you guys updated they could not analyze the zip file I uploaded. So we started are deployment in our live environment. We uninstalled Anitviurus Corporate Edition from our Domain Controller and did a fresh install of SEPM. All was fine... Starting the deployment of clients so I installed the SEP (Antivirus and Antispyware) client to the SEPM Domain Controller and getting Event id 599 on this server also. Reinstalled the Client on my originall Domain Controller that was having this issue and it is still registering these events. Here is what we are auditing in the Domain Controller OU:

Audit account logon events  Success, Failure
Audit account managemnet  Success, Failure
Audit directory service access  Success, Failure
Audit logon events   Success, Failure
Audit object access   Failure
Audit policy change   Success
Audit privilege use   Failure
Audit system events   Sucess

It is something with the auditing since it is registering Failed Securiyt Events. Can you guys post if you guys are auditing on your clients... Maybe this is the problem. Also I am resubmitting the zip files to symantec so they can anaylze it.

Dennis

Mar

2008

0 Votes 0

Dennis Martinez

Still no response from Symantec Support they are still "analyzing" the data. Will post when something is done...

May

2008

0 Votes 0

TechGuyJustin

I get this on just about all of our servers. If anyone has a solution please inform.

Thanks a lot!!

May

2008

0 Votes 0

Dennis Martinez

The latest I got with Symantec is that they have never heard or seen this issue. I installed MR2 on SEPM and all my server clients and now I am only getting these event 599 on one domain controller. They made me get a Process Monitor Capture and I sent them my security log. They are reviewing these items. Techguy, are your servers auditing?

May

2008

0 Votes 0

TechGuyJustin

Are my servers auditing? I guess I dont exactly know what you mean. I have a eventsentry auditing my server logs and sending them to my email if that is what you mean.

May

2008

0 Votes 0

TechGuyJustin

Dose anyone have a solution to this problem it is very annoying!!

May

2008

0 Votes 0

Dennis Martinez

I mean what are you auditing. You should have some GPO or LGPO telling the Local/Policies what to log. I.E. Logon Events (Success or Failures), Audit Object Access (Success or Fauilures). With out these set polices GPO or Local your server will not make an entry in the security log. I believe it is the Account Log on that is registering this event. I will have to test this during off hours in the weekend disable all loggning and find out which one is registering this event. That will help us track down the process that is causing these errror.s

May

2008

0 Votes 0

TechGuyJustin

EVENT # 16333164 EVENT LOG Security EVENT TYPE Audit Failure SOURCE Security CATEGORY Detailed Tracking EVENT ID 599 USERNAME NT AUTHORITY\SYSTEM COMPUTERNAME Server01 TIME 5/9/2008 8:36:13 AM MESSAGE Unprotection of auditable protected data.
Data Description: CValidateComCaller
Key Identifier: a8c17b82-1493-423c-946d-4243c28fb5c4
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160
Failure Reason: 0xD

Nobody else gets these? I get about 1 per server per minute, its ridiculous.

May

2008

0 Votes 0

CommerceSNI

I have similar events in the security logs on a Non-domain Controller, Server 2003 R2 fully patched, and non-domain member, SEP11 MR2 Anti-viurs and Anti-spyware only:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 599
Date:  5/13/2008
Time:  12:18:52 PM
User:  NT AUTHORITY\SYSTEM
Computer: CWIC-SEP
Description:
Unprotection of auditable protected data.
  Data Description:  CValidateComCaller
  Key Identifier:  2b20f10c-849f-40cb-a98a-fbb3364541cb
  Protected Data Flags: 0x0
  Protection Algorithms: 3DES-168 , SHA1-160
  Failure Reason:  0xD

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

These are my auditing settings, the defaults (I think) for R2, non-domain member, workgroup only...

Audit account logon events  Failure
Audit account managemnet Failure
Audit directory service access No auditing
Audit logon events  Failure
Audit object access   Failure
Audit policy change  Failure
Audit privilege use   Failure

Audit Process Tracking Failure
Audit system events Failure

May

2008

0 Votes 0

Dennis Martinez

I have not seen this error any other client. It has to be the Logon Failure Audit. Like I said I have not had a chance to stop the auditing for the server. It is my Domain Controller so I will have to do this sometime in the weekend. Obviously it is a Failure Audit. So disabling Audit will just be a temporary fix. I have Symantec Support still anaylzing my Process Monitor, and Log files. As soon as I hear from them I will update the forum. The Symantec Analysts did a search on the internet and this is the only item that pops our on the internet. UNBELIEVABLE!

May

2008

0 Votes 0

Dennis Martinez

This is what I got from Symantec Support:

Greetings,

I talked to our backline team and was told to send you this link regarding the event id 599.

http://www.microsoft.com/products/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.1.2600.0&EvtID=599&Evtsrc=Security&FileVer=5.1.2600.0&FileName=MsAuditE.dll&EvtType=Failure%20Audit&LCID=

It states that the message is for informational purposes only, and a suggested workaround is to disable auditing.

If you would like to continue working this issue I would have to push it further up the line but it could take some time.

Let me know what you would like to do and I will take the appropriate steps to get this moving.

If you have any additional questions simply respond to this email and I will get back to you as soon as possible.

Sincerely,
Gaelan

May

2008

0 Votes 0

Dennis Martinez

I replied stating that I believe Symantec should find a resolution for this problem...

May

2008

0 Votes 0

TechGuyJustin

Keep on them, I bet alot more people get this message they just dont look in there logs.

Thanks!!

May

2008

0 Votes 0

CommerceSNI

That does not sound like an acceptable workaround to me.

May

2008

0 Votes 0

Dennis Martinez

I am awaiting as to what will be the next step from Symantec. I knew from testing that it was the auditing logon Failures that is causing this event. But it is our Domain Controller so disabling Autiding is not an acceptable workaround. I let Symantec know that and told them I need a resolution to this issue as my event log is rapidly growing and overwriting events at a faster rate with all these errors.

May

2008

0 Votes 0

Mohan Ranjith

Disable Intrusion Prevention policy from SEPM and refresh the policies on the client. This has solved the problem

May

2008

0 Votes 0

CommerceSNI

That didnt work for me, i thought it had, but it only slowed the error messages down a bit, one or two per hour instead of the 6-8 messages per hour before....

May

2008

0 Votes 0

Mohan Ranjith

Disable anonymous access in your IIS and enable Integrated authentication - this should solve the problem

May

2008

0 Votes 0

CommerceSNI

That doesn't sound right to me. The clients are not running IIS and what would the SEPM IIS permissions have to do with the client security audit logs...as well as it is not all clients, just some...

May

2008

0 Votes 0

Mohan Ranjith

Yes. I was wrong in the first time.After I disabled the Intrusion prevention policy I didn't get the log for a while. then again i started pouring in the security log.After that I have disabled the Anonymous access in the IIS console and enabled the integrated authentication whichever the server i face the problems. This has stopped all the securtiy logs with event ID 599. Try this in your servers and let me know whether it solved the problem or not?

...Mohan Ranjith

May

2008

0 Votes 0

Mohan Ranjith

Sorry to all. The previous reply from me seems to disable the SEPM console.Try the following to get rid of the error message

In your SEPM Server find out the Application pool that is used for SEPM in IIS console. If you have installed default then select the default pool

Then in the properties of the application pool select the Identity tab. If It usses the Network service as the launch account, then Change that to a custom account of you have in in your AD envirenment or change that to local service.

Above steps stops the logs in all the machines with SEP installed. SEPM works fine. No setting change neede anywhere in the network even in the clients

Mohan

May

2008

0 Votes 0

Dennis Martinez

This is what I got from Symantec Support: I will try what you suggest just to see if it stops the failure audits, but I would rather have Symantec fix their product.
Greetings,

A few other technician and I were able to recreate the event id 599 just by enabling auditing failure in our local Group Polices. So we are currently working to find the reason for this even and I will update you soon.

Sincerely,
Gaelan

Symantec Technical Support
Symantec Corporation

So it seems that they are now seeing what we are experiencing. It is amazing that more users are not seeing this. Maybe they are and they are not reviewing their logs! But this is on our DC's which security auditing is a necessity. On one of the servers that I was getting this error it did not have IIS.

Dennis

May

2008

0 Votes 0

Dennis Martinez

The Domain Controller that I am getting the event 599 does not have IIS enabled. Any ideas??

May

2008

0 Votes 0

CommerceSNI

Im not so sure I would try that last suggested tweek either...I think I will wait for Symantec to come up with something.

I would guess many people do not end up looking at the security logs often enough to see the errors, I found my errors sort of my mistake...and I have not bothered to check the other servers just yet, we have about 15 servers with SEP 11 MR1/MR2 in pilot mode right now...

May

2008

0 Votes 0

CommerceSNI

So on one of our servers that has this 599 error it also crashes or hangs the server's ability to share files and print...oh what fun...

The server is a VM on ESX 3, Windows Server2003 SP2 and the Client was SEP 11.0.2.1567. I had to remove the client, as I can't have these shares disrupted during the day. We ran for a week with SEP disabled and somehow it renabled itself during the day, even though I thought we had it set to not do that. I need to wait for a window where I can restart the server to try a reinstall of SEP client.

I know the server has a few too many shares for a VM so I will have to try to reproduce this behavior in the lab.

May

2008

0 Votes 0

Dennis Martinez

I have heard of the original SEP Release losing network shares. But that was a fix that SEP MR1 fixed. I would open a case with Symantec about this issue. Of course removing the client (registry clean) and re-installing would be the first troubleshooting technique. But if that does not work I would open a ticket with Symantec about this losing network shares.

May

2008

0 Votes 0

CommerceSNI

I want to see if I can reproduce the problem before I call, but yes, I am hoping the re-install does the trick..

Jun

2008

0 Votes 0

JohnDW

I recently installed SEP 11.0.2 on a W2003 DC (that already had SEPM installed) and have started getting hundreds of Event 599 audit failures each day with message:

Unprotection of auditable protected data.
Data Description: CValidateComCaller
Key Identifier: 5b71bfa1-fec3-4311-8806-6d3a40e6aaa2
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160
Failure Reason: 0xD

I tried setting the default pool to run as Local Service, but that did not solve the problem.

Has anyone found any other fixes for this?

Thanks.

Jun

2008

0 Votes 0

Dennis Martinez

Last I heard from Symantec Support is that they were able to replicate the problem by enabling Audit Failures. So they are still working on a solution. More than likely more customers are experiencing this issue but they are not auditing their logs. Anyways when I hear an update I will submit it to the forum!

Jun

2008

0 Votes 0

Dennis Martinez

I disabled Audit Process Tracking (Failures). This is what the server is catching and seeing the process failed. I enabled this to see if someone was trying to intiate a process on the domain controller with out a propriate permissions. But this error is filling up my log, I disabled this audit and I am no longer getting these event id's!

Jun

2008

0 Votes 0

CommerceSNI

When I get the courage to re-install SEP on my file server that had those errors, I will try that as well.

Jul

2008

0 Votes 0

Ryland

Did anyone get a proper fix from Symantec for this issue yet? I'm getting alot of the errors on a standard Windows 2003 R2 server like this:

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 599
Date:  07-07-2008
Time:  10:16:38
User:  NT AUTHORITY\SYSTEM
Computer: VDM33FS1
Description:
Unprotection of auditable protected data.
  Data Description:  CValidateComCaller
  Key Identifier:  e8132209-2acc-4da3-bf60-cb190f67fb04
  Protected Data Flags: 0x0
  Protection Algorithms: 3DES-168 , SHA1-160
  Failure Reason:  0xD

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Jul

2008

0 Votes 0

Dennis Martinez

The solution is to disable Audit Process Tacking (Failures). This is policy set either by a GPO or LGPO. I had this originally set to audit failed process on our domain controller for security reasons. But since Seclu.exe was causing this event id to register i disabled this on my default domain controller policy and I am no longer getting these event id 599. By default this policy is set to not defined. it is not necessary to have it enabled as long as you know what apps should be running on your server and by who should be running it. Hope that helps but at this time that was the only available solution from symantec.

SEP 11 security event id 599 on Domain Controller

Comments

Links

Technical Support

Symantec.com

Store

Community Stats

SEP 11 security event id 599 on Domain Controller

Comments

Would you like to reply?

Links

Technical Support

Symantec.com

Store

Community Stats