1 Reply Latest reply on May 10, 2012 6:20 AM by sbenedix

    Server generating Failure audit events

      Hi Guys can you please help on the below issue. Server has many hundreds of security audit failures in the event log

       

       

      McShield

       

      Object Open:

                     Object Server:        SC Manager

                     Object Type:           SERVICE OBJECT

                     Object Name:         McShield

                     Handle ID:               -

                     Operation ID:          {0,1828642420}

                     Process ID:             488

                     Image File Name:   C:\WINDOWS\system32\services.exe

                     Primary User Name:              AHSVSUN1$

                     Primary Domain:    ENIAUSTRALIA

                     Primary Logon ID:  (0x0,0x3E7)

                     Client User Name:  AHSVSUN1$

                     Client Domain:        ENIAUSTRALIA

                     Client Logon ID:      (0x0,0x3E7)

                     Accesses:               DELETE

                                                      Query service configuration information

                                                      Set service configuration information

                                                      Query status of service

                                                      Enumerate dependencies of service

                                                      Start the service

                                                      Stop the service

                                                      Pause or continue the service

                                                      Query information from service

                                                      Issue service-specific control commands

                                                     

                      Privileges:              SeTakeOwnershipPrivilege

                     Restricted Sid Count:             0

                     Access Mask:         0x101FF

       

      Mfevtp

       

      Object Open:

                     Object Server:        SC Manager

                     Object Type:           SERVICE OBJECT

                     Object Name:         mfevtp

                     Handle ID:               -

                     Operation ID:          {0,1828641730}

                     Process ID:             488

                     Image File Name:   C:\WINDOWS\system32\services.exe

                     Primary User Name:              AHSVSUN1$

                     Primary Domain:    ENIAUSTRALIA

                     Primary Logon ID:  (0x0,0x3E7)

                     Client User Name:  AHSVSUN1$

                     Client Domain:        ENIAUSTRALIA

                     Client Logon ID:      (0x0,0x3E7)

                     Accesses:               DELETE

                                                      Query service configuration information

                                                      Set service configuration information

                                                      Query status of service

                                                      Enumerate dependencies of service

                                                      Start the service

                                                      Stop the service

                                                      Pause or continue the service

                                                      Query information from service

                                                      Issue service-specific control commands

                                                     

                      Privileges:              SeTakeOwnershipPrivilege

                     Restricted Sid Count:             0

                     Access Mask:         0x101FF

       

      Mfetdi2k

       

      Object Open:

                     Object Server:        SC Manager

                     Object Type:           SERVICE OBJECT

                     Object Name:         mfetdi2k

                     Handle ID:               -

                     Operation ID:          {0,1828641727}

                     Process ID:             488

                     Image File Name:   C:\WINDOWS\system32\services.exe

                     Primary User Name:              AHSVSUN1$

                     Primary Domain:    ENIAUSTRALIA

                     Primary Logon ID:  (0x0,0x3E7)

                     Client User Name:  AHSVSUN1$

                     Client Domain:        ENIAUSTRALIA

                     Client Logon ID:      (0x0,0x3E7)

                     Accesses:               DELETE

                                                      Query service configuration information

                                                      Set service configuration information

                                                      Query status of service

                                                      Enumerate dependencies of service

                                                      Start the service

                                                      Stop the service

                                                      Pause or continue the service

                                                      Query information from service

                                                      Issue service-specific control commands

                                                     

                      Privileges:              SeTakeOwnershipPrivilege

                     Restricted Sid Count:             0

                     Access Mask:         0x101FF

       

      Mfehidk

       

      Object Open:

                     Object Server:        SC Manager

                     Object Type:           SERVICE OBJECT

                     Object Name:         mfehidk

                     Handle ID:               -

                     Operation ID:          {0,1828641724}

                     Process ID:             488

                     Image File Name:   C:\WINDOWS\system32\services.exe

                     Primary User Name:              AHSVSUN1$

                     Primary Domain:    ENIAUSTRALIA

                     Primary Logon ID:  (0x0,0x3E7)

                     Client User Name:  AHSVSUN1$

                     Client Domain:        ENIAUSTRALIA

                     Client Logon ID:      (0x0,0x3E7)

                     Accesses:               DELETE

                                                      Query service configuration information

                                                      Set service configuration information

                                                      Query status of service

                                                      Enumerate dependencies of service

                                                      Start the service

                                                      Stop the service

                                                      Pause or continue the service

                                                      Query information from service

                                                      Issue service-specific control commands

                                                     

                      Privileges:              SeTakeOwnershipPrivilege

                     Restricted Sid Count:             0

                     Access Mask:         0x101FF

       

       

      Mfebopk

       

      Object Open:

                     Object Server:        SC Manager

                     Object Type:           SERVICE OBJECT

                     Object Name:         mfebopk

                     Handle ID:               -

                     Operation ID:          {0,1828641721}

                     Process ID:             488

                     Image File Name:   C:\WINDOWS\system32\services.exe

                     Primary User Name:              AHSVSUN1$

                     Primary Domain:    ENIAUSTRALIA

                     Primary Logon ID:  (0x0,0x3E7)

                     Client User Name:  AHSVSUN1$

                     Client Domain:        ENIAUSTRALIA

                     Client Logon ID:      (0x0,0x3E7)

                     Accesses:               DELETE

                                                      Query service configuration information

                                                      Set service configuration information

                                                      Query status of service

                                                      Enumerate dependencies of service

                                                      Start the service

                                                      Stop the service

                                                      Pause or continue the service

                                                      Query information from service

                                                      Issue service-specific control commands

                                                     

                      Privileges:              SeTakeOwnershipPrivilege

                     Restricted Sid Count:             0

                     Access Mask:         0x101FF

       

      Mfeavfk

       

      Object Open:

                     Object Server:        SC Manager

                     Object Type:           SERVICE OBJECT

                     Object Name:         mfeavfk

                     Handle ID:               -

                     Operation ID:          {0,1828641718}

                     Process ID:             488

                     Image File Name:   C:\WINDOWS\system32\services.exe

                     Primary User Name:              AHSVSUN1$

                     Primary Domain:    ENIAUSTRALIA

                     Primary Logon ID:  (0x0,0x3E7)

                     Client User Name:  AHSVSUN1$

                     Client Domain:        ENIAUSTRALIA

                     Client Logon ID:      (0x0,0x3E7)

                     Accesses:               DELETE

                                                      Query service configuration information

                                                      Set service configuration information

                                                      Query status of service

                                                      Enumerate dependencies of service

                                                      Start the service

                                                      Stop the service

                                                      Pause or continue the service

                                                      Query information from service

                                                      Issue service-specific control commands

                                                     

                      Privileges:              SeTakeOwnershipPrivilege

                     Restricted Sid Count:             0

                     Access Mask:         0x101FF

       

       

      Mfeapfk

       

      Object Open:

                     Object Server:        SC Manager

                     Object Type:           SERVICE OBJECT

                     Object Name:         mfeapfk

                     Handle ID:               -

                     Operation ID:          {0,1828641715}

                     Process ID:             488

                     Image File Name:   C:\WINDOWS\system32\services.exe

                     Primary User Name:              AHSVSUN1$

                     Primary Domain:    ENIAUSTRALIA

                     Primary Logon ID:  (0x0,0x3E7)

                     Client User Name:  AHSVSUN1$

                     Client Domain:        ENIAUSTRALIA

                     Client Logon ID:      (0x0,0x3E7)

                     Accesses:               DELETE

                                                      Query service configuration information

                                                      Set service configuration information

                                                      Query status of service

                                                      Enumerate dependencies of service

                                                      Start the service

                                                      Stop the service

                                                      Pause or continue the service

                                                      Query information from service

                                                      Issue service-specific control commands

                                                     

                      Privileges:              SeTakeOwnershipPrivilege

                     Restricted Sid Count:             0

                     Access Mask:         0x101FF

       

      According to above logs please investigate why McAfee generating Security Log’s

        • 1. Re: Server generating Failure audit events
          sbenedix

          Looks like services.exe is trying to acquire certain privileges and fails or am I interpreting the output wrong? Do you get corresponding entries (time wise) in the Access Protection Log File?

          Are these audit events required, enabled by default? (I doubt it), McAfee does not generate audit events, the OS does, thats my understanding at least :-).

           

          It may well work as intended as no other entity is allowed to tinker with the MFE services and Access Protection will prevent access for any (non MFE)service/program.

           

          My 0.02 cent.