1 2 Previous Next 14 Replies Latest reply on Aug 17, 2011 1:36 AM by bostjanc

    Failure Audits in event logs

      Hello,

      I am seeing the following failures in the security event logs. Has anyone seen these before?

      Event Type: Failure Audit
      Event Source: Security
      Event Category: Object Access
      Event ID: 560
      Description:
      Object Open:
      Object Server: SC Manager
      Object Name: McShield
      Primary User Name: ComputeName$
      Accesses: Query status of service
      Pause or continue of service


      and



      Event Type: Failure Audit
      Event Source: Security
      Event Category: Privilege Use
      Event ID: 577
      Description:
      Server: Security
      Privileges: SeTcbPrivilege
        • 1. RE: Failure Audits in event logs
          tonyb99
          By design, Mcafee advise ignore this and switch off the warnings!!!!

          lol

          ERROR: Event ID: 560, Event Type: Failure Audit, Object Name: McShield, errors recorded in the Security Event logs

          https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&exte rnalId=613533&sliceId=SAL_Public&dialogID=15052224&stateId=1 0 15048782
          • 2. Failure Audits
            I had this problem. Turns out under the deployment task for Viruscan, I had enabled
            Run at every policy enforcement (Windows only)

            Turning that off got rid of the audit errors. It was also causing a weird issue where the current window would lost focus every 5 minutes (same as my policy enforcement interval). That issue as well as the audit errors are gone.

            I love the fix that mcafee has, turn off audit reporting in event viewer. What a classic Mcafee fix.
            • 3. Re: RE: Failure Audits in event logs
              David.G

                That is unbeleivable!!! Even outrageous, that they would dare suggest a "workaround" like that.

               

              I just came across this article since I'm having the same problem, trying to get an agent onto a client, with admin credentials... Now I'm still no further, with no real solution.

               

              I would so love to hear Dave Dewalt explain this one at the next Focus event...

               

              For those wondering where this comes from, here's the content of the KB:

               

              Solution

              This is expected behavior. Any user without the necessary privileges will cause these types of errors to be generated and recorded in the Security Event logs.
              NOTE: These types of Failure Audit errors are only visible when the Failure audit option is enabled in the Windows Security log properties.

              Workaround

              In the Security log, disable the ability to display Failure Audit errors:
              1. Launch the Windows Event Viewer.
              2. Right-click Security Log and select Properties.
              3. Click the Filter tab and deselect Failure Audit.
              4. Click Apply, OK.
              5. Close the Event Viewer.

              Basically, just hide ALL errors so you don't have to deal with them... Thanks McAfee!

              • 4. Re: RE: Failure Audits in event logs
                dmeier

                Clearly the "workaround" isn't ideal, however, what you guys really are looking for is a "fix".  And a fix will have to come from Microsoft, and would likely deal with how auditing interacts with non-admin accounts.

                 

                That's how I see the issue, perhaps you guys know something I do not, as it relates to this problem.

                 

                - David

                • 5. Re: RE: Failure Audits in event logs
                  David.G

                  dmeier wrote:

                   

                  Clearly the "workaround" isn't ideal, however, what you guys really are looking for is a "fix".  And a fix will have to come from Microsoft, and would likely deal with how auditing interacts with non-admin accounts.

                   

                  That's how I see the issue, perhaps you guys know something I do not, as it relates to this problem.

                   

                  - David

                   

                  Hi David, the fix will not come from Microsoft, as the auditing is not the problem here but rather the fact that McAfee (McShield in this case) is preventing access even to admin accounts; and this even though the Access Protection feature was disabled.

                   

                  Removing McAfee products completely from the system made the "errors" go away. Now I can successfully proceed with the agent upgrade, a basic action performed on thousands of clients. Why did McShield prevent the Agent upgrade, that will remain a mistery. It's not the first and certainly not the last. It's just unfortunate...

                   

                  The KB article in this particular case should have suggested a manual reinstall of the product in such case, instead of just hiding the errors.

                   

                  Dave.

                   

                   

                  Message was edited by: David.G on 11/20/09 2:01 PM
                  • 6. Re: RE: Failure Audits in event logs
                    JeffGerard

                    People need to understand that a security audit log failure/success is not an error.  The workaround simply filters what you are currently looking at.  It does not disable the logging of failure events.

                     

                    Note to David: Do you have a thread going on your agent upgrade issues?  I have had my share of anything McAfee upgrade experiences and am curious as to what you are referring to.

                    • 7. Re: RE: Failure Audits in event logs
                      David.G

                      JeffGerard wrote:

                       

                      People need to understand that a security audit log failure/success is not an error.  The workaround simply filters what you are currently looking at.  It does not disable the logging of failure events.

                       

                      Note to David: Do you have a thread going on your agent upgrade issues?  I have had my share of anything McAfee upgrade experiences and am curious as to what you are referring to.

                       

                      Jeff,

                       

                      I fully agree with your 1st statement about the audit log. It's pointless to claim that filtering them out would qualify as any kind of "workaround".

                      Anyway, regarding your 2nd question, no I did not open a new thread for the agent upgrade but I did resolve that. In this case, it was an inactive agent handler selected as default for the agent deployment (lab environment).

                       

                      Dave.

                      • 8. Re: RE: Failure Audits in event logs
                        wwarren

                        It is a common programming practice to check for permissions to an object by simply asking for a higher level of access, and handling any error that is returned.

                        This approach, if audited, results in the id 577 audit log entries when those code-paths are exercised. e.g. opening the VSE console.

                         

                        The 560 event may be tied to policy enforcement, if policies have changed and require advising McShield to reload a new configuration.

                        It could be the Vshield icon trying to display the accurate status of the McShield service... it needs to query the service to know if it's running or not.

                        My first guess though would be a policy change, because it mentions pausing and resuming in the event text - and that's what happens when policies change.

                         

                        Filtering the events out if you don't want to see them is the only option at this time.

                        Chances are you want to see them, hence the auditing. But as these examples are expected by the product, the recommendation is to ignore these instances. I think some people will find that impractical, but perhaps there are better tools for filtering the event logs too.

                        • 9. Re: RE: Failure Audits in event logs
                          David.G

                          Turns out McAfee recognizes that 1. there is a problem! 2. it's on their part and they need to come up with a real fix for this.

                           

                          https://kc.mcafee.com/corporate/index?page=content&id=KB67976

                           

                          All this talk about filtering makes no sense IMHO, as:

                          1. you cannot filter events at creation time as this is managed by the OS, and while you can choose which caterogy of event to log, you cannot exclude specific event IDs.

                          2. filtering them out of view is just hidding them and does not address the core problem; which, when you have thousands of those events per day, puts a strain on the system (wasting performance), fills in the Security log file and when set to overwrite as needed, pushes legitimate events out of the log. Even if the log file size is extended, it makes it near impossible to locate events other than the 577 given they are berried in the sea of 577... Native Windows event viewer does not allow the exclusion of events in the filter.

                           

                          Anyway, pending on the fix release, as usual, can't do anything about it in the meantime.

                          1 2 Previous Next