Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 16958 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos generating tons of "Audit Failures" on Windows 2008

Plumbum

On a few Windows 2008 servers I run Sophos gives Audit Failure errors like this:

Computer: Security   Source: Microsoft-Windows-Security-Auditing   User: Audit Failure
Message: A handle to an object was requested.
Subject:
Security ID: S-1-5-18
Account Name: XXXXXXXXXXX$
Account Domain: XXX
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\csrss.exe
Handle ID: 0x0
Process Information:
Process ID: 0xb4
Process Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: SYNCHRONIZE
ReadAttributes
WriteAttributes

Access Reasons: SYNCHRONIZE: Unknown or unchecked
ReadAttributes: Unknown or unchecked
WriteAttributes: Not granted

Access Mask: 0x100180
Privileges Used for Access Check: SeBackupPrivilege
Restricted SID Count: 0

The files Sophos is trying to access besides csrss.exe are services.exe, netstat.exe, taskeng.exe, cmd.exe (the last two are most common). Does anyone else have such problem? Any idea why is it happening?

The events are occurring at random intervals from 5 to 30 minutes, no tasks are scheduled to run with such frequency.

Thanks 

:2930


This thread was automatically locked due to age.
  • 0

    Ok, some additional info. 

    On Windows 2008 all system files have auditing for Everyone group enabled on them. The list of actions for auditing is:

    • create files/write data
    • create folders/append data
    • write attributes
    • write extended attributes
    • change permissions
    • take ownership

    Apparently Sophos tries to write attributes (what attributes!?) and triggers the auditing events.

    :2931
  • 0

    Same problem here.  For me, these events are being logged on a  remote domain (e.g. customer's domain) that is being managed by my infrastructure.

    Hopefully this thread is being monitored by someone in Sophos support and they can provide a solution.

    I have seen we can disable specific "handle" audting, but that is not treating the symptom.

    :3065
  • 0

    Hi Plumbum and Soph123,

    I'm sorry to see there hasn't been a reply to this thread. I'm trying to get a reply for you ASAP. Watch this space.

    Cheers,

    spike

    :3066
  • 0

    I was about to answer soph123's post when I saw spike's reply.

    Nonetheless I want to point out that IMHO the forum is not a replacement for support (among other duties I'm responsible for a small support group).I have no intention to second-guess spike or Sophos - but in particular I would not expect that the forum is being monitored for "individual issues" (I know this should be posted in the About forum but ...).

    A support process is (or should be) clearly defined. There is a requester, a person who is or represents a customer. A support process has probably an (internal) SLA assigned which is tracked. At the end there has to be an accepted outcome. The forum is more or less anonymous - if someone monitoring the forum decides that a case has to be opened these data are not available. 

    It starts with the requester - when do you decide to open a case and for whom? One case? Several? Although the symptoms might be similar there could be different causes. At which point would you the "split" the case? Quite complicated. 

    So don't be shy of calling or mailing support (and there's no extra cost involved) especially if you think your problem is serious.

    As to the audit failures: I have no idea what's happening :smileywink: just a few thoughts.

    Out of curiosity I tried to find out when Sophos tries to write attributes. It does not during on-access scan, but a right-click scan causes the Last Accessed date to be updated (and this is immediately preceded by a request for a handle with Read, Write and Synchronize). But I haven't tested on a 2008.

    The selection of files for which this happens is somewhat strange - especially cmd and netstat. But I refrain from guessing what this could be. Sysinternals' Process Monitor might help identifying what's accessing one of these (besides SavService).

    Christian

    :3073
  • 0

    Following on from soph123 and QC posts, I would strongly recommend raising this as a support query via www.sophos.com/support/query where we wiill be able to investigate this in more detail.

    :3078
  • 0

    I tried to create a support request, but the submission form is not working. It always gives:

    Not implemented

    Your web browser has attempted to perform a function not currently supported by this web server. 

    Request ID: pUfnQAopBAUAABitjnkAAAAs

    I tried to submit the request in multiple browsers (IE8, Firefox, Safari) to the same result. I reported the problem on the feedback form, which is still working.

    :3079
  • 0

    Tried that to the same effect in Safari and IE8.

    :3163
  • 0

    We have not received any other reports of this behaviour, can you please clear Safari and IE  8 browsing cache then try:

    http://www.sophos.com/support/queries/enterprise.html

    Clicking on the Email us now! link.

    If issues persist, please follow the recommendations in the customer checklist article and email support@sophos.com

    http://www.sophos.com/support/knowledgebase/article/14682.html

    :3269
  • 0

    Hi,

    was there every any response from support on this. We're seeing these audit failures in particular relating to the file C:\Windows\System32\wshom.ocx.

    Obviously we could probably reduce the audit configuration for that file but as this is a fairly sensitive file it doesn't seem wise.

    The affected product is Sophos Protection Suite running Windows 2008 SP2 with SAV 10.0.10 VDL4.85G

    cc_inf

    :36691