Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 16960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos generating tons of "Audit Failures" on Windows 2008

Plumbum

On a few Windows 2008 servers I run Sophos gives Audit Failure errors like this:

Computer: Security   Source: Microsoft-Windows-Security-Auditing   User: Audit Failure
Message: A handle to an object was requested.
Subject:
Security ID: S-1-5-18
Account Name: XXXXXXXXXXX$
Account Domain: XXX
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\csrss.exe
Handle ID: 0x0
Process Information:
Process ID: 0xb4
Process Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: SYNCHRONIZE
ReadAttributes
WriteAttributes

Access Reasons: SYNCHRONIZE: Unknown or unchecked
ReadAttributes: Unknown or unchecked
WriteAttributes: Not granted

Access Mask: 0x100180
Privileges Used for Access Check: SeBackupPrivilege
Restricted SID Count: 0

The files Sophos is trying to access besides csrss.exe are services.exe, netstat.exe, taskeng.exe, cmd.exe (the last two are most common). Does anyone else have such problem? Any idea why is it happening?

The events are occurring at random intervals from 5 to 30 minutes, no tasks are scheduled to run with such frequency.

Thanks 

:2930


This thread was automatically locked due to age.
Parents
  • 0

    I was about to answer soph123's post when I saw spike's reply.

    Nonetheless I want to point out that IMHO the forum is not a replacement for support (among other duties I'm responsible for a small support group).I have no intention to second-guess spike or Sophos - but in particular I would not expect that the forum is being monitored for "individual issues" (I know this should be posted in the About forum but ...).

    A support process is (or should be) clearly defined. There is a requester, a person who is or represents a customer. A support process has probably an (internal) SLA assigned which is tracked. At the end there has to be an accepted outcome. The forum is more or less anonymous - if someone monitoring the forum decides that a case has to be opened these data are not available. 

    It starts with the requester - when do you decide to open a case and for whom? One case? Several? Although the symptoms might be similar there could be different causes. At which point would you the "split" the case? Quite complicated. 

    So don't be shy of calling or mailing support (and there's no extra cost involved) especially if you think your problem is serious.

    As to the audit failures: I have no idea what's happening :smileywink: just a few thoughts.

    Out of curiosity I tried to find out when Sophos tries to write attributes. It does not during on-access scan, but a right-click scan causes the Last Accessed date to be updated (and this is immediately preceded by a request for a handle with Read, Write and Synchronize). But I haven't tested on a 2008.

    The selection of files for which this happens is somewhat strange - especially cmd and netstat. But I refrain from guessing what this could be. Sysinternals' Process Monitor might help identifying what's accessing one of these (besides SavService).

    Christian

    :3073
Reply
  • 0

    I was about to answer soph123's post when I saw spike's reply.

    Nonetheless I want to point out that IMHO the forum is not a replacement for support (among other duties I'm responsible for a small support group).I have no intention to second-guess spike or Sophos - but in particular I would not expect that the forum is being monitored for "individual issues" (I know this should be posted in the About forum but ...).

    A support process is (or should be) clearly defined. There is a requester, a person who is or represents a customer. A support process has probably an (internal) SLA assigned which is tracked. At the end there has to be an accepted outcome. The forum is more or less anonymous - if someone monitoring the forum decides that a case has to be opened these data are not available. 

    It starts with the requester - when do you decide to open a case and for whom? One case? Several? Although the symptoms might be similar there could be different causes. At which point would you the "split" the case? Quite complicated. 

    So don't be shy of calling or mailing support (and there's no extra cost involved) especially if you think your problem is serious.

    As to the audit failures: I have no idea what's happening :smileywink: just a few thoughts.

    Out of curiosity I tried to find out when Sophos tries to write attributes. It does not during on-access scan, but a right-click scan causes the Last Accessed date to be updated (and this is immediately preceded by a request for a handle with Read, Write and Synchronize). But I haven't tested on a 2008.

    The selection of files for which this happens is somewhat strange - especially cmd and netstat. But I refrain from guessing what this could be. Sysinternals' Process Monitor might help identifying what's accessing one of these (besides SavService).

    Christian

    :3073
Children
No Data