1 Reply Latest reply on Jul 29, 2011 7:41 AM by Attila Polinger

    Connecting machines AV account being locked out

    Isagel

      This is an unusual one.

       

      I have an antivirus account originating from ePO that continuously attempts to logon to some connected machines and locks the account out.  The domain controller is filled with audit failures due to this accounts attempt to login.  This is happening on machines only in a certain group in ePO.  

       

      Maybe the ePO agent or VSE software is attempting the logon, or maybe its an invalid password somewhere.  Anyone have any idea?

       

      Event Type:            Failure Audit

      Event Source:         Security

      Event Category:      Logon/Logoff

      Event ID: 539

      Date:                       7/13/2011

      Time:                       11:43:07 AM

      User:                       NT AUTHORITY\SYSTEM

      Computer:               CADXX ST01

      Description:

      Logon Failure:

                     Reason:                  Account locked out

                     User Name:            svc_antivirus

                     Domain: 

                     Logon Type:            2

                     Logon Process:      Advapi 

                      Authentication Package:        MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

                     Workstation Name: CADXXST01

                     Caller User Name: CADXXST01$

                     Caller Domain:       ACWCA

                     Caller Logon ID:     (0x0,0x3E7)

                     Caller Process ID: 4568

                     Transited Services: -

                     Source Network Address:      -

                     Source Port:            -

      -------------------------------------------------------------------------------- -----------------------------------------------

       

      Event Type:            Failure Audit

      Event Source:         Security

      Event Category:      Account Logon

      Event ID: 680

      Date:                       7/13/2011

      Time:                       11:43:06 AM

      User:                       NT AUTHORITY\SYSTEM

      Computer:               CADXXST01

      Description:

      Logon attempt by:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

      Logon account:      svc_antivirus

      Source Workstation:              CADXX ST01

      Error Code:            0xC0000064

       

       

        • 1. Re: Connecting machines AV account being locked out
          Attila Polinger

          Hello,

           

          some ideas:

           

          - a server task attempting to install agent onto computers - with wrong credentials

          - An RSD automated task with the same purpose and cause

          - some distributed repository that could not be disabled in some McAfee Agent policy and some computers use the invalid acount defined for this repository (we had this issue and the cause was invalid characters in the repo name)

          - Some frequent update task with wrong credentials, see inheritance of the same in the system tree.

           

          I hope I could help. Actually if the account failure audit messages are way too frequent, that might be other than ePO/above.

           

          Attila