On a few Windows 2008 servers I run Sophos gives Audit Failure errors like this:
Computer: Security Source: Microsoft-Windows-Security-Auditing User: Audit Failure
Message: A handle to an object was requested.
Subject:
Security ID: S-1-5-18
Account Name: XXXXXXXXXXX$
Account Domain: XXX
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\csrss.exe
Handle ID: 0x0
Process Information:
Process ID: 0xb4
Process Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: SYNCHRONIZE
ReadAttributes
WriteAttributes
Access Reasons: SYNCHRONIZE: Unknown or unchecked
ReadAttributes: Unknown or unchecked
WriteAttributes: Not granted
Access Mask: 0x100180
Privileges Used for Access Check: SeBackupPrivilege
Restricted SID Count: 0
The files Sophos is trying to access besides csrss.exe are services.exe, netstat.exe, taskeng.exe, cmd.exe (the last two are most common). Does anyone else have such problem? Any idea why is it happening?
The events are occurring at random intervals from 5 to 30 minutes, no tasks are scheduled to run with such frequency.
Thanks
This thread was automatically locked due to age.
