Endpoint Protection

  • Private Community
 View Only

  • 1.  Succesful Log on session is created (with the Event id : 4624) every few seconds.

    Posted Nov 07, 2011 10:57 AM

    Succesful Log on session is created (with the Event id : 4624) every few seconds -

    Want to know the reason for this ? Eventhough it is a successful audit, is this safer as it appears every few seconds.

    SEP version  : 11.0.5002. This happens in the SEPM installed machine (Windows server2008 ).  SQL 2005 database is used

    Find the Event viewer log:

    An account was successfully logged on.

    Subject:
     Security ID:  S-1-5-18
     Account Name:  NHOA5MAPP127$
     Account Domain:  NUTRISYSTEM
     Logon ID:  0x3e7

    Logon Type:   2

    New Logon:
     Security ID:  S-1-5-21-1761353269-1846692113-1232828436-13163
     Account Name:  symendpoint
     Account Domain:  NUTRISYSTEM
     Logon ID:  0xadf3e4c
     Logon GUID:  {00000000-0000-0000-0000-000000000000}

    Process Information:
     Process ID:  0xbfc
     Process Name:  D:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\SysUtil.exe

    Network Information:
     Workstation Name: NHOA5MAPP127
     Source Network Address: -
     Source Port:  -

    Detailed Authentication Information:
     Logon Process:  Advapi 
     Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
     Transited Services: -
     Package Name (NTLM only): -
     Key Length:  0

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
     - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

     

     



  • 2.  RE: Succesful Log on session is created (with the Event id : 4624) every few seconds.

    Posted Nov 08, 2011 04:54 AM

    Hi Ramp.Ragav,

    That's normal Windows behavior, it appears.  I have tens of thousands of 4624's in my Windows 2008 server's Security log.  (Like you, I have my SEPM on a Win2008 server, using a MS SQL 2005 server.)

    I am sure there is a way to disable such auditing by configuring Windows settings.  A quick Internet search will probably reveal the steps how.

    I would not worry at all about these entries in the Event Log.

    Please let the forum know if this answers your question!



  • 3.  RE: Succesful Log on session is created (with the Event id : 4624) every few seconds.

    Posted Nov 08, 2011 02:52 PM

    Thanks for your update on this.

    Eventhough Event id :4624 is normal behaviour : SysUtil.exe which is a Symantec process uses the Advapi logon process (as shown in the Event viewer message) every second to create this event. 

    I have found that SysUtil.exe is a process used to gather system information about the SEPM for display in the SEPM.

    Bit curious on the root cause of this event generated !!!