Windows Audit Logging, trying to exclude SEP but no username present in entries
Scenario: Object Audit level logging with Symantec EndPoint Protection being sent to SIEM solution.
Objective: Prevent AV Scans from flooding SIEM
Problem: Windows Audit Policy (auditpol) can exclude based on username but not based on process name. Symantec scans generate security logs but do not have a username associated with them. At scan time, SIEM solution becomes inundated with events from scans.
Sample (notice the User= is BLANK)
<13>Jan 22 12:19:42 HOSTNAME
AgentDevice=WindowsLog
AgentLogFile=Security
PluginVersion=1.0.14
Source=Microsoft-Windows-Security-Auditing
Computer=HOSTNAME.FQDN
User=
Domain=
EventID=4663
EventIDCode=4663
EventType=8
EventCategory=12800
RecordNumber=4917837
TimeGenerated=1358874971
TimeWritten=1358874971
Message=An attempt was made to access an object.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: HOSTNAME$
Account Domain: CORP
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\ehome\ehshell.dll
Handle ID: 0x2c0
Process Information:
Process ID: 0xbec
Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
Access Request Information:
Accesses: WriteAttributes
Access Mask: 0x100
Comments 2 Comments • Jump to latest comment
What version of SEP are you running?
How many machines is this occurring on?
Was anyone logged in at the time?
SEP Knowledge Base
Endpoint SWAT
SEP 11.0.6.6200.754
Occuring on multiple Windows 7 machines, haven't checked XP.
Users are logged in, haven't checked to see if this happens if they are logged off.
Would you like to reply?
Login or Register to post your comment.