Hi Guys,
I am using a Microsoft Server 2003 for hosting a asp application in .NET framework 1.1. My application was working perfectly until I was using McAfee VisrusScan Enterprise with patch 1. Once I installed patch 2 for the McAfee, My application started giving 500 - Internal error. When I checked the security log, I found there are several entries for Audit failure. Below is the Event details -
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 04/12/2013
Time: 19:42:07
User: SERVER_NAME\IUSR_XXXXX
Computer: Server Name
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20131015112835.dll
Handle ID: -
Operation ID: {0,762633334}
Process ID: 5036
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: IWAM_XXXXX
Primary Domain: Server Name
Primary Logon ID: (0x0,0x2A609C9F)
Client User Name: IUSR_XXXXX
Client Domain: Server Name
Client Logon ID: (0x0,0x2D73A2ED)
Accesses: SYNCHRONIZE
Execute/Traverse
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100020
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Temporary solution: When I am adding IUSR_XXXXX and IWAM_XXXXX to Administrator group, application started working. But this not the feasible solution. Could you please help me if there is any permanent solution.
Looking for permanent solution with less risk involvement
Thanks in advance.
Message was edited by: nandkrlohar on 12/5/13 1:47:34 PM CSTHi there,
I'm moving your post to the VSE space so it can get answered. Thanks!!
Moved from Community Interface Feedback where there is no product support at all, provisionally to VSE for best support.
If the question is "Why am I getting this Audit Failure event?"
The answer is "Because you enabled logging for failures to access objects".
If the question is "Why is the failure to access this object occurring?", that can't be answered from the Event itself. You'll want to provide more detail around how the event is generated, what action is being taken and by whom, what privileges that account has.
The event may be (and is most likely) expected.
Hi Team,
Forgot to update the McAfee details -
VirsuScan Enterprise + AntiSpayware Enterprise 8.8
Scan Engin Version (32 bit) : 5600.1067
DAT Version : 7279.0000
Installed Patches : 2
Thanks.
Hi wwarren,
Thanks for the reply, My question is how to fix the issue permanently because my application stopped working. But if I am providing Administrator access to these 2 user, it is working , but this is not feasible solution. I want to return to original permission and also application should work. This started imediatly after the patch update.
Thanks,
You probably want to talk to someone in Support, so you can better describe the issue and get the details. Info like:
What the application is, what is it supposed to do?
What action it performs (or tries to perform) that triggers the event; i.e. what fails?
What are _all_ the symptoms of failure? As you say, the application stopped working... how do you know it stopped working? What was supposed to happen?
It works if the User is an admin? That's important to know.
It would be unfortunate to learn that previous versions worked because we were perpetuating a security flaw, and that in the later release we squished it which now exhibits as a failure for you and this application that may have depended on such a flaw. That would be unfortunate because there's no way we'd agree to reopening a security flaw. You might instead be forced into making some difficult choices, like disabling certain product functionality (ScriptScan, in this case).
This is all conjecture 'til the real details can be discovered. That's why I think you should walk with someone in our Support team to figure out those details.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA