Security Alerts

Hi
we have got the below alert in our server monitoring
New Account Name (HelpAssistant_eefebe) has been added and deleted within 1 hour of Time frame on server .. i am unable to trace anything on the server. Please help me by giving more information about this and also on how to avoid this in future.

Thanks in advance
Suresh Techy.
SureshkumaarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MuraliCommented:
Hi Suresh, What tool you use to monitor your network.. Is this Symantec Enterprise Security Manger??
0
MuraliCommented:
HelpAssistant is the default windows account name.. and eefebe should be your computer name.. this account is default you dont have to do any on it.. let it be...

You need to exclude/suppress this account not for this alert...
0
SureshkumaarAuthor Commented:
Hi Murali

monitoring is being done by other team who are specialists in ISMS. and the computer name is not eefebe. could i get more details on this. I googled and found no info is satisfying.

For what help assistants are used? Why it should create and delete the user id's on its own?

Sureshtechy.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

MuraliCommented:
Hi Suresh.. actally i can tell you how this alert has been throuwn by your secuirty monitoring system...

these security monitoring systems will record the system state everytime.... typically these are called snapshots.. and they will have schedule running.. everyday or everyweek.. when it runs initially it captures all security settings of machine like usrs, groups, membership, local security policy and etc...

when the next schedule runs.. it captures and compares with preview snapshot.. whatever difference found .. based on category like users or security policy it will assign the critically and throgh the alert..

at this point of time you can tel your security team that.. this is default windows account.. no account has been created.. it is been there from the time of windows installed.. so exclude this user from the check...

and also you question back them... why you are alerting you on this.. bcoz it is been there from long time.. why now the security system is alerting me about it.. is it not somethign wrong from their end???
0
MuraliCommented:
Check this article if you have this problem for xp home/prof

http://support.microsoft.com/kb/323647
0
Russell_VenableCommented:
Hi Sureshkumaar,
#1
When seeing these types of accounts created on your server, they would indicated that someone is using remote assistance. Every time a support ticket is sent and the user it was sent to receives and activates the ticket it creates a new account named "HelpAssistant_<prefix>". After the user ends his remote session it then it deletes the account. I would have your team check for computers connecting at that time and also see what software was running. In most cases it would be something like msn live messanger and someone sending a remote assistance invite. So don't be alarmed unless #2 is happening.

Remote assistence is expained in detail here.

#2
If you are getting symptoms on your server of antivirus or protection software being (Killed). I would be then be cautious as this would then be signs of "Win32.Meroot.rootkit".

So all in all the first part is by all means normal and actually is built into the windows system for remote support. The second part is if your having odd security problems which I doubt your having.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.