Security Audits.
- From: Jonathan Forbes <JonathanForbes@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 18 Apr 2006 16:29:02 -0700
Hello,
I sent the following letter to our Anti-Virus support team; as we are
continentally established enterprise, with only designated contacts permitted
to get direct vendor support. I believe that this condition has two parts to
it, a vendor side and a Microsoft side. I'm merely looking for anyone who may
have seen this, and might save me some time (and red tape) involved in
regular support for this application. Thanks in advance. See the below:
Hello,
I’m curious if there is any precedent or previous case history involving
Windows security event logs becoming clogged and full of Failure audits of
Event 560? This event seems to be logged eight simultaneous times..all with
the same timestamp; with this trend occurring every 60 seconds or so, some
intervals as short as every 20 seconds. It occurs on each and every
Windows(XP, all service packs) workstation and/or Server (2K, Advance 2K,
2003) that runs Symantec Anti Virus Corporate version 10.x and up. The
details of these events are as follows:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/18/2006
Time: 3:22:27 PM
User: NT AUTHORITY\SYSTEM
Computer: computer_name
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\USER\.DEFAULT
Handle ID: -
Operation ID: {0,3035375}
Process ID: 1944
Image File Name: C:\WINDOWS\system32\svchost.exe
Primary User Name: computer_name$
Primary Domain: INTERNAL
Primary Logon ID: (0x0,0x3E7)
Client User Name: computer_name$
Client Domain: domain_name
Client Logon ID: (0x0,0x3E7)
Accesses: MAX_ALLOWED
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
These events stop entirely when the Symantec Anti Virus service ("C:\Program
Files\Symantec AntiVirus\Rtvscan.exe") is stopped. They continue the above
trend when the service is restarted. While not at all a system-down type of
issue, the constantly filling event logs make for more frequent than
necessary log backup/purging routines as well as more processor-intensive
event log queries. Indeed, the bloating of the security logs by Event ID 560
fired by Symantec leaves very little room to manage security logs a manner
more beneficial to our organizations security concerns.
Assuming that the system isn’t ‘broken’, my request is more process-related.
What are the details behind rtvscan and the above event? How do they relate?
If identified, our systems can be configured to not audit this activity,
dramatically reducing event log size without sacrificing audit warning in
general by globally ‘saying no’ to failure audits
--
Jonathan Forbes
.
- Prev by Date: Re: Media Connect can't be started
- Next by Date: Re: Burn list
- Previous by thread: Re: Media Connect can't be started
- Next by thread: How to broadcast/streaming using Windows Media 9 Service over the internet
- Index(es):
Relevant Pages
|
