Endpoint Protection

Scenario: Object Audit level logging with Symantec EndPoint Protection being sent to SIEM solution.

Objective: Prevent AV Scans from flooding SIEM

Problem:  Windows Audit Policy (auditpol) can exclude based on username but not based on process name.  Symantec scans generate security logs but do not have a username associated with them.  At scan time, SIEM solution becomes inundated with events from scans.

Sample (notice the User= is BLANK)

<13>Jan 22 12:19:42 HOSTNAME

AgentDevice=WindowsLog    

AgentLogFile=Security    

PluginVersion=1.0.14    

Source=Microsoft-Windows-Security-Auditing    

Computer=HOSTNAME.FQDN    

User=     

Domain=     

EventID=4663    

EventIDCode=4663    

EventType=8    

EventCategory=12800    

RecordNumber=4917837    

TimeGenerated=1358874971    

TimeWritten=1358874971    

Message=An attempt was made to access an object.  

Subject:  

Security ID:  NT AUTHORITY\SYSTEM  

Account Name:  HOSTNAME$  

Account Domain:  CORP  

Logon ID:  0x3e7  

Object:  

Object Server: Security  

Object Type: File  

Object Name: C:\Windows\ehome\ehshell.dll  

Handle ID: 0x2c0  

Process Information:  

Process ID: 0xbec  

Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe  

Access Request Information:  

Accesses: WriteAttributes        

Access Mask: 0x100

What version of SEP are you running?

How many machines is this occurring on?

Was anyone logged in at the time?

SEP 11.0.6.6200.754

Occuring on multiple Windows 7 machines, haven't checked XP.

Users are logged in, haven't checked to see if this happens if they are logged off.