Solved

Event Viewer Security Failure Audit

Posted on 2004-09-10
3
2,425 Views
Last Modified: 2008-01-09
I am recieving this message in the Event Viewer...
Is this a serious problem - should I worry about this?
I am getting a message when I log on to the machine that says the security log is full and that only an admin can clear the logs.
I clear them, but they are filling up extremly fast as the below listed events are occuring about 4 times every 6 mins.


The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\SYSTEM32\lsass.exe
Process identifier: 868
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 2886
Allowed: No
User notified: No
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

AND

The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\SYSTEM32\svchost.exe
Process identifier: 1304
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 68
Allowed: No
User notified: No

0
Comment
Question by:jpressit
  • 2
3 Comments
 
LVL 1

Accepted Solution

by:
perica83 earned 125 total points
ID: 12031965
here is a little background info:

lsass - lsass.exe - Process Information
Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
 
Description:
lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies, and is NOT to be confused with the lsas.exe virus.
 
Author: Microsoft Corp.
Part Of: Microsoft Windows Operating System
 
System Process: Yes
Virus: No
Spyware: No
Background Process: Yes
Uses Network: No
Hardware Related: No



svchost - svchost.exe - Process Information
Process File: svchost or svchost.exe
Process Name: Microsoft Service Host Process
 
Description:
svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.
 
Author: Microsoft Corp.
Part Of: Microsoft Windows Operating System
 
System Process: Yes
Virus: No
Spyware: No
Background Process: Yes
Uses Network: No
Hardware Related: No


this is not a security problem.. try adjusting what gets logged or to increase the log size. also do a little tweaking on the firewall so that it does not pick up all "regular" windows traffic.
0
 
LVL 1

Expert Comment

by:perica83
ID: 12031982
one more thing before i forget. some viruses like to mask them self as "lsass.exe" so they you wont notice. so for safety reasons run a virus check to make sure that the drive is clean.
0
 
LVL 1

Assisted Solution

by:Keravi
Keravi earned 125 total points
ID: 12036112
A virus scan as perica83 suggested is a great idea; as well, make sure you keep up with adware/spyware scans.

The lsass.exe basically is listening for logins for your machine, it helps control the authentication of users attempting to logon to your computer. I agree with perica83 in that you should adjust your logging and firewall settings (after of course you are certain that your computer is safe/not infected etc)

The svchost.exe/port 68 occurrence that you are describing sounds typical of part of the DHCP process, as ports 67 and 68 (UDP) are used for discovery and then listening for the offer (and other messages) from the responding DHCP server. So basically, if you are getting your IP address via DHCP you have to allow that traffic; else you'll have a machine very busy trying to receive IP address offers but never "seeing" them, and it will keep trying. So, some questions for you are:

Do you use DHCP to gain an IP address or have you assigned an IP (static)?
Do you have multiple network interfaces from which one may be sending a DHCP request (and therefore listening for a response) and how are you connected to your network?

If you want to find out what processes are being used by svchost.exe you can go to a command line and type "tasklist /svc" and it will show you all tasks and services running as well as their Process ID (PID). You can match the process ID that you see in your error message, 1304 in the example above, and then look in this new listing for the same number and thereby see a list of services/dll(s) etc that are bound to a particular instance of svchost.exe.
For people using win2k, the win2k resource kit has a program called "tlist.exe" that can be used for the same purpose using the command line and typing "tlist -s".
Alternately you can use the excellent freeware utility called "pslist.exe" from www.sysinternals.com (http://www.sysinternals.com/ntw2k/freeware/pslist.shtml) or even their free GUI process explorer (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml)

Also remember that if you are wondering what remote IP may be listening on those ports, then go to a command prompt and type "netstat -ao" to see all IPs and ports on your machine. You can get the PID again and compare against the results from your "tasklist /svc". Or if you have XP SP2 you can use "netstat -b" and it will give you the services that are controlling the port. Even better, go back to sysinternals and look for their freeware "tcpview" and you'll have a nice GUI to tell you the same thing.

Hope this helps! Questions? Concerns?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now