Security Event Log Failure Audits
Posted on 2006-11-26
I'm experiencing consistent security event log failure audits on my W2K3 web server. The failure, "The Windows Firewall has detected an application listening for incoming traffic." is coming from C:\WINDOWS\system32\lsass.exe & C:\WINDOWS\system32\svchost.exe approximately every 10 minutes. Each application listens on 3 consecutive ports (ie. lsass.exe will listen on 2692, 2693, & 2694 while at about the same time svchost.exe will listen on 2867, 2868, & 2869). At each interval, the ports will change but the process follows the same "3 consecutive" model. I've contacted my service provider, and while they can't explain it, they assure me I have nothing to worry about. To me, this looks like a "low & slow" approach designed to fool an intrusion detection system. I'm trying to determine if I should take the provider's advice and not worry about it, or go with my gut and contact a security expert for a resolution. Thank you.