cancel
Showing results for 
Search instead for 
Did you mean: 
JWK
Level 7
Report Inappropriate Content
Message 1 of 15

Failure Audits in event logs

Hello,

I am seeing the following failures in the security event logs. Has anyone seen these before?

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Description:
Object Open:
Object Server: SC Manager
Object Name: McShield
Primary User Name: ComputeName$
Accesses: Query status of service
Pause or continue of service


and



Event Type: Failure Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Description:
Server: Security
Privileges: SeTcbPrivilege
14 Replies
tonyb99
Level 13
Report Inappropriate Content
Message 2 of 15

RE: Failure Audits in event logs

By design, Mcafee advise ignore this and switch off the warnings!!!!

lol

ERROR: Event ID: 560, Event Type: Failure Audit, Object Name: McShield, errors recorded in the Security Event logs

https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=613533&sliceI...
TerryZ
Level 7
Report Inappropriate Content
Message 3 of 15

Failure Audits

I had this problem. Turns out under the deployment task for Viruscan, I had enabled
Run at every policy enforcement (Windows only)

Turning that off got rid of the audit errors. It was also causing a weird issue where the current window would lost focus every 5 minutes (same as my policy enforcement interval). That issue as well as the audit errors are gone.

I love the fix that mcafee has, turn off audit reporting in event viewer. What a classic Mcafee fix.
David.G
Level 7
Report Inappropriate Content
Message 4 of 15

Re: RE: Failure Audits in event logs

  That is unbeleivable!!! Even outrageous, that they would dare suggest a "workaround" like that.

I just came across this article since I'm having the same problem, trying to get an agent onto a client, with admin credentials... Now I'm still no further, with no real solution.

I would so love to hear Dave Dewalt explain this one at the next Focus event...

For those wondering where this comes from, here's the content of the KB:

Solution

This is expected behavior. Any user without the necessary privileges will cause these types of errors to be generated and recorded in the Security Event logs.
NOTE: These types of Failure Audit errors are only visible when the Failure audit option is enabled in the Windows Security log properties.

Workaround

In the Security log, disable the ability to display Failure Audit errors:
  1. Launch the Windows Event Viewer.
  2. Right-click Security Log and select Properties.
  3. Click the Filter tab and deselect Failure Audit.
  4. Click Apply, OK.
  5. Close the Event Viewer.

Basically, just hide ALL errors so you don't have to deal with them... Thanks McAfee!

McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 5 of 15

Re: RE: Failure Audits in event logs

Clearly the "workaround" isn't ideal, however, what you guys really are looking for is a "fix".  And a fix will have to come from Microsoft, and would likely deal with how auditing interacts with non-admin accounts.

That's how I see the issue, perhaps you guys know something I do not, as it relates to this problem.

- David

David.G
Level 7
Report Inappropriate Content
Message 6 of 15

Re: RE: Failure Audits in event logs

dmeier wrote:

Clearly the "workaround" isn't ideal, however, what you guys really are looking for is a "fix".  And a fix will have to come from Microsoft, and would likely deal with how auditing interacts with non-admin accounts.

That's how I see the issue, perhaps you guys know something I do not, as it relates to this problem.

- David

Hi David, the fix will not come from Microsoft, as the auditing is not the problem here but rather the fact that McAfee (McShield in this case) is preventing access even to admin accounts; and this even though the Access Protection feature was disabled.

Removing McAfee products completely from the system made the "errors" go away. Now I can successfully proceed with the agent upgrade, a basic action performed on thousands of clients. Why did McShield prevent the Agent upgrade, that will remain a mistery. It's not the first and certainly not the last. It's just unfortunate...

The KB article in this particular case should have suggested a manual reinstall of the product in such case, instead of just hiding the errors.

Dave.

Message was edited by: David.G on 11/20/09 2:01 PM

Re: RE: Failure Audits in event logs

People need to understand that a security audit log failure/success is not an error.  The workaround simply filters what you are currently looking at.  It does not disable the logging of failure events.

Note to David: Do you have a thread going on your agent upgrade issues?  I have had my share of anything McAfee upgrade experiences and am curious as to what you are referring to.

David.G
Level 7
Report Inappropriate Content
Message 8 of 15

Re: RE: Failure Audits in event logs

JeffGerard wrote:

People need to understand that a security audit log failure/success is not an error.  The workaround simply filters what you are currently looking at.  It does not disable the logging of failure events.

Note to David: Do you have a thread going on your agent upgrade issues?  I have had my share of anything McAfee upgrade experiences and am curious as to what you are referring to.

Jeff,

I fully agree with your 1st statement about the audit log. It's pointless to claim that filtering them out would qualify as any kind of "workaround".

Anyway, regarding your 2nd question, no I did not open a new thread for the agent upgrade but I did resolve that. In this case, it was an inactive agent handler selected as default for the agent deployment (lab environment).

Dave.

McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 9 of 15

Re: RE: Failure Audits in event logs

It is a common programming practice to check for permissions to an object by simply asking for a higher level of access, and handling any error that is returned.

This approach, if audited, results in the id 577 audit log entries when those code-paths are exercised. e.g. opening the VSE console.

The 560 event may be tied to policy enforcement, if policies have changed and require advising McShield to reload a new configuration.

It could be the Vshield icon trying to display the accurate status of the McShield service... it needs to query the service to know if it's running or not.

My first guess though would be a policy change, because it mentions pausing and resuming in the event text - and that's what happens when policies change.

Filtering the events out if you don't want to see them is the only option at this time.

Chances are you want to see them, hence the auditing. But as these examples are expected by the product, the recommendation is to ignore these instances. I think some people will find that impractical, but perhaps there are better tools for filtering the event logs too.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: RE: Failure Audits in event logs

Turns out McAfee recognizes that 1. there is a problem! 2. it's on their part and they need to come up with a real fix for this.

https://kc.mcafee.com/corporate/index?page=content&id=KB67976

All this talk about filtering makes no sense IMHO, as:

1. you cannot filter events at creation time as this is managed by the OS, and while you can choose which caterogy of event to log, you cannot exclude specific event IDs.

2. filtering them out of view is just hidding them and does not address the core problem; which, when you have thousands of those events per day, puts a strain on the system (wasting performance), fills in the Security log file and when set to overwrite as needed, pushes legitimate events out of the log. Even if the log file size is extended, it makes it near impossible to locate events other than the 577 given they are berried in the sea of 577... Native Windows event viewer does not allow the exclusion of events in the filter.

Anyway, pending on the fix release, as usual, can't do anything about it in the meantime.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator