3 Replies Latest reply on Jul 20, 2015 5:52 PM by washingj77

    HIPS Failed Logon Attempt (Windows)

    washingj77

      I’m pretty new to the Mcafee Technology in reference to ePO and HIPs so please excuse the lack of detail. I’m currently working with a Server that has ePO 4.6 installed on it and to keep things simple I have a Windows 7 system with HIPS installed on it  that is managed by the ePO Server. 

       

      I was looking for a signature in the IPS rules on the ePO Server that could track failed login attempts on my managed system – in which I did find but the signature (954) is one of the Signatures that are in the default policy that doesn’t show the expert rules associated with that particular signature.  This signature does not trigger no matter what setting (Severity) it set it at and I’m not sure what the problem would be.

       

      Currently, I’m just looking for anyone that has a custom Signature that can track Failed logon attempts on Windows Hosts and if possible Linux host?

        • 1. Re: HIPS Failed Logon Attempt (Windows)
          Kary Tankink

          HIPS 7.0 and 8.0 does not have this functionality.  Signature 954 does not apply to HIPS 7 or 8; older HIPS versions (6.x) are EOL.

          General Signature Description

          (Refer to KB article 51504 for details about supported platforms.) This event indicates a failed logon attempt. This could be the result of a brute force password-guessing attempt. Note: Signature is not applicable to Host IPS 7.0 and above. 

          References: CVE-1999-0575 

          • 2. Re: HIPS Failed Logon Attempt (Windows)
            Kary Tankink

            McAfee Solidcore (Application and Change Control) can perform this function though with the UAT-MON module and Event IDs below.

             

             

            KB76990 - User LOGON / LOGOFF events are not reported for Change Control 5.x and 6.x

             

            KB81141 - ePolicy Orchestrator Event IDs for Application and Change Control (Solidcore)

            20789: User Logged On (Info)

            20790: User Logon Failed (Info)

            20791: User Logged Off (Info)

            20792: User Account Created (Info)

            20793: User Account Deleted (Info)

            20794: User Account Modified (Info

             

            Solidcore Help FAQ from ePO Console:

            Why am I not receiving the events for user account activity for an endpoint?

            User account activity is not tracked by default for endpoints. To track operations for user accounts, you must enable this feature specifically on endpoints where Change Control is deployed and enabled. To enable this feature, execute the SC: Run Commands client task to run the sadmin features enable mon‑uat command on the endpoint.

            In addition, you must make sure that the Audit Policy is configured on the Windows operating system to allow generation of user activity events.

            To successfully track user account activity for an endpoint, verify the Audit Policy configuration for the endpoint.

            1. Navigate to Control Panel | Administrative Tools.
            2. Double-click Local Security Policy.
            3. Select Local Policies | Audit Policy.
            4. Double-click the Audit account logon events policy.
            5. Select Success and Failure, then click OK.
            6. Repeat steps 4 and 5 for the Audit account management and Audit logon events policies.     
            • 3. Re: HIPS Failed Logon Attempt (Windows)
              washingj77

              Thank you so much for you time and valuable information.  I’m on track now.

               

              Take Care,