Event log fills up with Failure Audit events (XP-Pro)

B

Bo Berglund

My Event log continuously fills up with failure audit events of this
type:

The Windows Firewall has detected an application listening for
incoming traffic.

Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 1312
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3562
Allowed: No
User notified: No

The strange thing is that I am behind a firewall so Windows Firewall
is set to OFF....
How can Windows Firewall log events if it is OFF?????

And how can I get rid of this nuisance?
I am running a fully up to date Symantec Corporate antivirus on this
PC.


Bo Berglund
 
S

Shenan Stanley

Bo said:
My Event log continuously fills up with failure audit events of this
type:

The Windows Firewall has detected an application listening for
incoming traffic.

Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 1312
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3562
Allowed: No
User notified: No

The strange thing is that I am behind a firewall so Windows Firewall
is set to OFF....
How can Windows Firewall log events if it is OFF?????

And how can I get rid of this nuisance?
I am running a fully up to date Symantec Corporate antivirus on this
PC.
Click to expand...

http://www.eventid.net/display.asp?eventid=861&eventno=4615&source=Security&phase=1
 
B

Bo Berglund

http://www.eventid.net/display.asp?eventid=861&eventno=4615&source=Security&phase=1
Click to expand...

I noticed that even if Windows Firewall is ste to off it seems to be
active anyway. So I stopped the service and set it for manual start.
Now I don't get nearly as many log entries, but I still have a fair
amount of unuseful entries, like:

A new process has been created:
New Process ID: 4908
Image File Name:
C:\Engineering\Projects\Bosse\MailCheck\MailCheck.exe
Creator Process ID: 240
User Name: Bosse
Domain: MYDOMAIN
Logon ID: (0x0,0x1ACAD)


And then after the program exits:

A process has exited:
Process ID: 4908
Image File Name:
C:\Engineering\Projects\Bosse\MailCheck\MailCheck.exe
User Name: Bosse
Domain: MYDOMAIN
Logon ID: (0x0,0x1ACAD)

What is the purpose of logging these items?
Again the event log fills up with non-usable entries.
It would have been useful if failures were logged, but why log normal
activity?

And how can I reduce this?



Bo Berglund
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Failure Audits in XP Events Security log 2
Security log full, why? 3
is this normail? 5
Event ID 861 4
Event ID 861 3
Windows XP PRO Newbee Please help 2
Turning off auditing for Windows Firewall on XP SP2 2
Why these errors in WinXP SP3? 4

Top