cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
nandkrlohar
nandkrlohar
Level 7
Report Inappropriate Content
Message 1 of 7
‎12-05-2013 11:46 AM

Failure Audit-Event ID : 560 -Object Name:C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn

Hi Guys,

     I am using a Microsoft Server 2003 for hosting a asp application in .NET framework 1.1. My application was working perfectly until I was using McAfee VisrusScan Enterprise with patch 1. Once I installed patch 2 for the McAfee, My application started giving 500 - Internal error. When I checked the security log, I found there are several entries for Audit failure. Below is the Event details -

Event Type:          Failure Audit

Event Source:          Security

Event Category:          Object Access

Event ID:          560

Date:           04/12/2013

Time:           19:42:07

User:           SERVER_NAME\IUSR_XXXXX

Computer:          Server Name

Description:

Object Open:

           Object Server:          Security

           Object Type:          File

           Object Name:          C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20131015112835.dll

           Handle ID:          -

           Operation ID:          {0,762633334}

           Process ID:          5036

           Image File Name:          C:\WINDOWS\system32\inetsrv\w3wp.exe

           Primary User Name:          IWAM_XXXXX

           Primary Domain:          Server Name

           Primary Logon ID:          (0x0,0x2A609C9F)

           Client User Name:          IUSR_XXXXX

           Client Domain:          Server Name

           Client Logon ID:          (0x0,0x2D73A2ED)

           Accesses:          SYNCHRONIZE

Execute/Traverse

           Privileges:          -

           Restricted Sid Count:          0

           Access Mask:          0x100020

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Temporary solution: When I am adding IUSR_XXXXX and  IWAM_XXXXX to Administrator group, application started working. But this not the feasible solution. Could you please help me if there is any permanent solution.

Looking for permanent solution with less risk involvement

Thanks in advance.

Message was edited by: nandkrlohar on 12/5/13 1:47:34 PM CST
0 Kudos
Reply
6 Replies
SPyron
SPyron
Level 12
Report Inappropriate Content
Message 2 of 7
‎12-05-2013 11:51 AM

Re: Failure Audit-Event ID : 560 -Object Name:C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn

Hi there,

   I'm moving your post to the VSE space so it can get answered. Thanks!!

Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos
Reply
exbrit
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 3 of 7
‎12-05-2013 11:52 AM

Re: Failure Audit-Event ID : 560 -Object Name:C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn

Moved from Community Interface Feedback where there is no product support at all, provisionally to VSE for best support.

0 Kudos
Reply
wwarren
McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 4 of 7
‎12-05-2013 12:02 PM

Re: Failure Audit-Event ID : 560 -Object Name:C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn

If the question is "Why am I getting this Audit Failure event?"

The answer is "Because you enabled logging for failures to access objects".

If the question is "Why is the failure to access this object occurring?", that can't be answered from the Event itself. You'll want to provide more detail around how the event is generated, what action is being taken and by whom, what privileges that account has.

The event may be (and is most likely) expected.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
0 Kudos
Reply
nandkrlohar
nandkrlohar
Level 7
Report Inappropriate Content
Message 5 of 7
‎12-05-2013 12:03 PM

Re: Failure Audit-Event ID : 560 -Object Name:C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn

Hi Team,

Forgot to update the McAfee details -

     VirsuScan Enterprise + AntiSpayware Enterprise 8.8

     Scan Engin Version (32 bit) : 5600.1067

     DAT Version : 7279.0000

     Installed Patches : 2

Thanks.

0 Kudos
Reply
nandkrlohar
nandkrlohar
Level 7
Report Inappropriate Content
Message 6 of 7
‎12-05-2013 12:13 PM

Re: Failure Audit-Event ID : 560 -Object Name:C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn

Hi wwarren,

     Thanks for the reply, My question is how to fix the issue permanently because my application stopped working. But if I am providing Administrator access to these 2 user, it is working , but this is not feasible solution. I want to return to original permission and also application should work.  This started imediatly after the patch update.

Thanks,

0 Kudos
Reply
wwarren
McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 7 of 7
‎12-05-2013 12:29 PM

Re: Failure Audit-Event ID : 560 -Object Name:C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn

You probably want to talk to someone in Support, so you can better describe the issue and get the details. Info like:

What the application is, what is it supposed to do?

What action it performs (or tries to perform) that triggers the event; i.e. what fails?

What are _all_ the symptoms of failure? As you say, the application stopped working... how do you know it stopped working? What was supposed to happen?

It works if the User is an admin? That's important to know.

It would be unfortunate to learn that previous versions worked because we were perpetuating a security flaw, and that in the later release we squished it which now exhibits as a failure for you and this application that may have depended on such a flaw. That would be unfortunate because there's no way we'd agree to reopening a security flaw. You might instead be forced into making some difficult choices, like disabling certain product functionality (ScriptScan, in this case).

This is all conjecture 'til the real details can be discovered. That's why I think you should walk with someone in our Support team to figure out those details.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
0 Kudos
Reply
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

      • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center