3 Replies Latest reply on Jun 10, 2010 8:00 AM by Attila Polinger

    Failed Login Alerts

      We are currently rolling out new registers to our stores across the country and we are receiving failed login alerts from our HIDS agents.  We receive approximately 50,000 alerts daily and it is growing every time a new register is brought on.  The registers are using 8.5i with Patch 8.  Here is what I have done so far:

       

      • Upgraded to McAfee 8.7i Patch 3 from 8.5i Patch 8
        • Worked for 172.21.147.227 but not 172.21.148.3
      • Upgraded the EPO agent to 4.5
      • Rebooted the affected lab registers
      • Uninstalled and reinstalled McAfee completely
        • Performed this on 172.21.147.227 and reverted back to 8.5i Patch 8; it still does not appear on the report
        • Not sure if this would be an easy task to perform on the production registers; if this can even be accomplished
      • Checked the registry key to ensure on 5 different production registers to ensure that the Agent GUID’s are different; they are
      • They are all on Windows XP SP3
      • The definitions are being updated
      • The framework service was disabled at one point and the affected register did not appear on the report

       

      I do not think uninstalling and reinstalling McAfee is an option.  Has anyone any idea of what may be causing this?  I read Patch 4 for 8.7i resolves a similar issue and may be the end resolution for us.

        • 1. Re: Failed Login Alerts
          Attila Polinger

          Hi,

           

          excuse me, would you provide specifics on what a HIDS agent is? Could we see a sample of this alert?

           

          Attila

          • 2. Re: Failed Login Alerts

            HIDS stands for Host Intrusion Detection System.  We use a Symantec product for this.  There are agents that report back to our HIDS server based on policies we have in place, one of them is to track failed logins.  Ever since we started to deploy our new registers with McAfee 8.5i Patch 8, we started to receive these messages.  I have tried numerous things (see the original post), and it works sporadically.  I am sure if we completely uninstall McAfee and reinstall it, that may resolve the issue.  We have deployed over 200 registers across the nation and this would not be a simple task to do.  Attached is a sample of what we are seeing in our HIDS logs.

             

            SIG=System_Failed_Access_Status_5.2.Logon_Failure; Logon Fai
            lure: Reason: An error occurred during logon User Name: Do
            main: Logon Type: 3 Logon Process: Kerberos Authentication
            Package: Kerberos Workstation Name: - Status code: 0xC00000
            6D Substatus code: 0xC0000133 Caller User Name: - Caller Dom
            ain: - Caller Logon ID: - Caller Process ID: - Transited Ser
            vices: - Source Network Address: <IP Address> Source Port:
            0

             

            We did trace this issue back to either the EPO Agent or McAfee itself because when we disable the Framework service, the message goes away. Note: I removed the IP Address of the workstation.

            • 3. Re: Failed Login Alerts
              Attila Polinger

              Hi,

               

              I can think of antivirus updates or mirror task running daily (perhaps several times). When you said you were receiving 50 htousands alerts, are these from around the same time, or are these from different times a day?

               

              Could you check one affected client for these tasks's schedule?

               

              Attila