Endpoint Protection

SEP 12.1.4013.4013.105

Server 2012/2012R2

Incessant Audit Failures rec'd on all my servers.  It seems as if I get them mulitple times per minute...each and every minute...every day...after day...after day...

Does anyone have an update or a fix on this issue?  The only thing I've found is the following KB:

www .symantec. com/business/support/index?page=content&id=TECH212361

The only suggestion is to turn off auditing.  This is not an option for us and I need to know if there is a fix or will it be fixed in the next itteration of SEP?

Still not published...why does it take so long?!

it has been well over 24hrs since I created this thread...WHY WILL IT NOT PUBLISH?!

I have this same audit event appearing on several systems and am interested in a fix as well as opposed to a workaround.

Wow...this actually got posted...it took forever for it to get posted.  I still have yet to find anything out on this except for that link I originally posted.  Not very happy about this issue to say the least.

Any update to this request?  I am also experiencing a very large number of recorded events and I'd like to know why this executable is causing so many failures and audit logs.

All I hear are the crickets of dispair on this topic...

:(

Have either of you checked in with Symantec support on this to verify?

I contacted support and got the following response:

The defect linked on this knowledge article is still being looked into.  It hasn’t stemmed from any validated security concerns at this time.  It is known by our developers and Microsoft.

I will continue to research this when my engineering contacts are back in tomorrow, however here is some more information for you.

The image name for the service SepMasterService  is now ccSvcHst.exe. Realtime Scan functionality is now provided by the service.  Note that there are multiple ccSvcHst.exe instances running on your computer. The SepMasterService service requires one instance (System) , and an additional instance is required for each user session (username).

Event ID 4673 is called “Sensitive Privilege Use” and is tracked by the policy “Audit Privilege Use” which you must have enabled in your environment.

“SeTcbPrivilege” means “To Act as Part of the Operating System”

It is likely happening every time the service is called and is operating as designed as far as SEP is concerned.  This will likely be a Microsoft fix.  Our developers are working with them on this issue.  

Thanks for the info smakovits

Is there any date for us to follow up over this issue? Can we have some more information about it to contact Microsoft and try to push it a bit?

That was all the information I received from support, but I can certainly ping them again

I did a quick check into this for you. It looks like we're tracking (tentatively) a change to significantly reduce the number of these events in Symantec Endpoint Protection 12.1 Release Update 5 (RU5). The change to how we do these checks should remove the event from showing up every minute, but there will still be times you'll see this event in logs. Opening the client UI would be an example of when you will this event going forward, but the per minute checks should be gone now.

Hope that helps!

Looks like it has been fixed in 12.1.5

http://www.symantec.com/business/support/index?page=content&id=TECH224706

Windows security log contains multiple entries for ccsvchst.exe Event ID 4673

Fix ID: 3403807

Symptom: After you enable an audit security settings policy, ccSvcHst.exe logs multiple warnings with Event ID 4673 in Windows security event logs.

Solution: Modified the product to use a security identifier (SID) to check for process permissions.

I am still seeing this on machines running 12.1.5. Our SIEM collects thousands of these a day from each machine. Has anyone else noticed this still being an issue?

I did not turn off the rule to drop that message. I will try to disable and see if the issue persist.

I'll be moving to upgrade to 12.1.5 soon.  Hopefully it does take care of the issue.

I also see this on our machines running 12.1.5.  Symantec says it was fixed with this version according to this article http://www.symantec.com/business/support/index?page=content&id=TECH224706 but events still occuring on ours.

Does anyone have info to add to this thread that may help?

Are you running any type of agents on your servers? I am experiencing the same symptoms but only when a specific agent is running on the network. Just curious as our security team is certain the issue is with this specific product, not the AV or other agents we have running.

Do you run a logging agent or whitelisting agent?

It seems I'm still getting these with 12.1.5337.5000.105 but this time it is saying it is the following file:

A privileged service was called. Subject: Security ID: S-1-5-21-656508280-552086760-267785383-500 Account Name: DomainAccount Account Domain: Domain Logon ID: 0x49412182 Service: Server: Security Service Name: - Process: Process ID: 0x1640 Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\SymCorpUI.exe Service Request Information: Privileges: SeTcbPrivilege

Just to add to this old thread, just updated a system to 12.1.6168.6000.105 and I am still seeing this issue. We have rebooted a couple times and no change. I am seeing 4 entries every minute.

A privileged service was called.

Subject:
    Security ID:        DOMAIN\UserID
    Account Name:        UserID
    Account Domain:        DOMAIN
    Logon ID:        0x6ced97

Service:
    Server:    Security
    Service Name:    -

Process:
    Process ID:    0xed4
    Process Name:    C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\ccSvcHst.exe

Service Request Information:
    Privileges:        SeTcbPrivilege

Good to know I'm not the only one and nothing seems to have changed or been fixed...

Well running process explorer, you can see a parent ccSvcHost.exe running as the SYSTEM account and a spawned child process that runs with the access token of the current logged in user.  Only the SYSTEM account as the SeTcbPrivlege rights which is the thread control block access.  Why can't this second spawned process just run as SYSTEM too?  It should be able to access the tcb of user threads I would imagine.

I have this problem, too!

I have a  Windows Server 2008 R2 RDS, about 50 concurrent users on it, I get 5000+ eventid 4673 audit failures records per hour.  These records are really annoying.

Good afternoon.
This problem is not solved.

sep 12.1.6 MP1

I have a server admin that is logged into a server and has the same issue which also locks out his domain account. so we need a fix.

Those with Symantec Busines Critical Support would've received this today:

Issue –  Event viewer is flooded with Event ID 4673
Description – Customer using RU6 SEP client is facing issues with Multiple events showing up in Event Viewer with ID 4673.
Status – Issue will be fixed in RU6MP4 version.

Funny thing, Symantec now believes this issue only exists in RU6 code, yet this thread is years old and focused on RU4 era code. Clearly this is how old the defect is.

This Issue is still prolonging in 2023. We see False positive alerts. Sensitive Privilege Use - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.7388.4000.105\Bin\ccSvcHst.exe

<quillbot-extension-portal></quillbot-extension-portal>