Video Screencast Help

Windows Audit Logging, trying to exclude SEP but no username present in entries

Created: 22 Jan 2013 | 2 comments

Scenario: Object Audit level logging with Symantec EndPoint Protection being sent to SIEM solution.

Objective: Prevent AV Scans from flooding SIEM

Problem:  Windows Audit Policy (auditpol) can exclude based on username but not based on process name.  Symantec scans generate security logs but do not have a username associated with them.  At scan time, SIEM solution becomes inundated with events from scans.

 

Sample (notice the User= is BLANK)

<13>Jan 22 12:19:42 HOSTNAME

AgentDevice=WindowsLog    

AgentLogFile=Security    

PluginVersion=1.0.14    

Source=Microsoft-Windows-Security-Auditing    

Computer=HOSTNAME.FQDN    

User=     

Domain=     

EventID=4663    

EventIDCode=4663    

EventType=8    

EventCategory=12800    

RecordNumber=4917837    

TimeGenerated=1358874971    

TimeWritten=1358874971    

Message=An attempt was made to access an object.  

Subject:  

Security ID:  NT AUTHORITY\SYSTEM  

Account Name:  HOSTNAME$  

Account Domain:  CORP  

Logon ID:  0x3e7  

Object:  

Object Server: Security  

Object Type: File  

Object Name: C:\Windows\ehome\ehshell.dll  

Handle ID: 0x2c0  

Process Information:  

Process ID: 0xbec  

Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe  

Access Request Information:  

Accesses: WriteAttributes        

Access Mask: 0x100

Comments 2 CommentsJump to latest comment

.Brian's picture

What version of SEP are you running?

How many machines is this occurring on?

Was anyone logged in at the time?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jasonatsymconnect's picture

SEP 11.0.6.6200.754

Occuring on multiple Windows 7 machines, haven't checked XP.

Users are logged in, haven't checked to see if this happens if they are logged off.