excuse me, would you provide specifics on what a HIDS agent is? Could we see a sample of this alert?
HIDS stands for Host Intrusion Detection System. We use a Symantec product for this. There are agents that report back to our HIDS server based on policies we have in place, one of them is to track failed logins. Ever since we started to deploy our new registers with McAfee 8.5i Patch 8, we started to receive these messages. I have tried numerous things (see the original post), and it works sporadically. I am sure if we completely uninstall McAfee and reinstall it, that may resolve the issue. We have deployed over 200 registers across the nation and this would not be a simple task to do. Attached is a sample of what we are seeing in our HIDS logs.
SIG=System_Failed_Access_Status_5.2.Logon_Failure; Logon Fai
lure: Reason: An error occurred during logon User Name: Do
main: Logon Type: 3 Logon Process: Kerberos Authentication
Package: Kerberos Workstation Name: - Status code: 0xC00000
6D Substatus code: 0xC0000133 Caller User Name: - Caller Dom
ain: - Caller Logon ID: - Caller Process ID: - Transited Ser
vices: - Source Network Address: <IP Address> Source Port:
We did trace this issue back to either the EPO Agent or McAfee itself because when we disable the Framework service, the message goes away. Note: I removed the IP Address of the workstation.
I can think of antivirus updates or mirror task running daily (perhaps several times). When you said you were receiving 50 htousands alerts, are these from around the same time, or are these from different times a day?
Could you check one affected client for these tasks's schedule?