G
Guest
I have installed the full release version of Windows Defender. When I
perform a full system scan, whether manually or automatically, Windows
Defender attempts to scan network resources which are not mapped.
What is really strange is that these attempts are not made on any of the
machines on the LAN where my Active Directory Domain resides. These
authentication failures occur in a Windows environment in a separate
building, which is connected by an IPSec VPN, allowing traffic from my office
to that building to be instantiated.
The failures are logged because Defender is running as my local machine,
which has no privileges in the other environment. There are always two
errors in quick succession because I've enabled Account Logon and
Logon/Logoff failure auditing, which follow:
======================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 11/14/2006
Time: 1:41:01 AM
User: NT AUTHORITY\SYSTEM
Computer: T#####
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: L####$
Source Workstation: L####
Error Code: 0xC0000064
======================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/14/2006
Time: 1:41:01 AM
User: NT AUTHORITY\SYSTEM
Computer: T#####
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: L####$
Domain: C#########
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: L####
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.#.#.#
Source Port: 0
======================================================
I need a way to turn this off in Windows Defender.
1> the drives on these machines are not mapped, so I'm not sure where
Defender is even getting the machine names (unless it's pulling it from my
explorer history or something).
2> these machines are not even in a trust relationship with my domain.
3> there is not a list of "items to scan" anywhere that I can find, in the
registry, flat files, or online. There is the list of "Do not scan these
files or folders," but that's exclusive - I need the inclusive.
4> where is the promised .adm file which was supposed to accompany the full
release?
As a domain administrator, I am going to be hard pressed to deploy this
corporate-wide if I can't configure it to not scan network devices which are
not mapped, and have to run around trying to block it everywhere to prevent
it from attempting authentication in other connected environments.
Thanks for your help, anyone.
- Eric McWhorter
perform a full system scan, whether manually or automatically, Windows
Defender attempts to scan network resources which are not mapped.
What is really strange is that these attempts are not made on any of the
machines on the LAN where my Active Directory Domain resides. These
authentication failures occur in a Windows environment in a separate
building, which is connected by an IPSec VPN, allowing traffic from my office
to that building to be instantiated.
The failures are logged because Defender is running as my local machine,
which has no privileges in the other environment. There are always two
errors in quick succession because I've enabled Account Logon and
Logon/Logoff failure auditing, which follow:
======================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 11/14/2006
Time: 1:41:01 AM
User: NT AUTHORITY\SYSTEM
Computer: T#####
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: L####$
Source Workstation: L####
Error Code: 0xC0000064
======================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/14/2006
Time: 1:41:01 AM
User: NT AUTHORITY\SYSTEM
Computer: T#####
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: L####$
Domain: C#########
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: L####
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.#.#.#
Source Port: 0
======================================================
I need a way to turn this off in Windows Defender.
1> the drives on these machines are not mapped, so I'm not sure where
Defender is even getting the machine names (unless it's pulling it from my
explorer history or something).
2> these machines are not even in a trust relationship with my domain.
3> there is not a list of "items to scan" anywhere that I can find, in the
registry, flat files, or online. There is the list of "Do not scan these
files or folders," but that's exclusive - I need the inclusive.
4> where is the promised .adm file which was supposed to accompany the full
release?
As a domain administrator, I am going to be hard pressed to deploy this
corporate-wide if I can't configure it to not scan network devices which are
not mapped, and have to run around trying to block it everywhere to prevent
it from attempting authentication in other connected environments.
Thanks for your help, anyone.
- Eric McWhorter