F-Prot triggers huge amounts of Security Audit Failures on Windows XP

[Rob]

Hello,

I have F-prot version 6 (Anti-Virus) loaded on several Windows XP
systems in our lab. The Windows XP systems have been configured for
security auditing (per NISPOM Ch. 8 requirement). Using event viewer
to look at the security logs, I'm seeing 8500+ security messages for
two days worth of usage, of which 94% of them read exactly like the
printout below.

I'm not sure, but it seems like FPAVserv (f-prot process) might
running with the user's rights and not running as a system service.

Any thoughts on how I can fix this?

Thanks,

Rob Ramsey
Colorado

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/7/2008
Time: 10:37:39 PM
User: STK-NODE\dave
Computer: STK-NODE
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: FPAVServer
Handle ID: -
Operation ID: {0,2766732}
Process ID: 740
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: STK-NODE$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: dave
Client Domain: STK-NODE
Client Logon ID: (0x0,0x281EF9)
Accesses: Query status of service
Start the service

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

8760 messages of event type 560 out of 8855 events
6 Feb 2008 11:24:40PM - 8 Feb 2008 3:16:52PM

 

[David H. Lipman]

From: "Rob" <[email protected]>

| Hello,
|
| I have F-prot version 6 (Anti-Virus) loaded on several Windows XP
| systems in our lab. The Windows XP systems have been configured for
| security auditing (per NISPOM Ch. 8 requirement). Using event viewer
| to look at the security logs, I'm seeing 8500+ security messages for
| two days worth of usage, of which 94% of them read exactly like the
| printout below.
|
| I'm not sure, but it seems like FPAVserv (f-prot process) might
| running with the user's rights and not running as a system service.
|
| Any thoughts on how I can fix this?
|
| Thanks,
|

< snip >


Interesting.

If you have to follow "NISPOM Ch. 8 requirement", you can't use F-Prot. It is an unapproved
anti virus solution.

The requirements are only for the DISA approved anti virus solutions under the DISA DoD wide
license which include only; Trend Micro, Symantec and MCafee.

 

[Rob]

From: "Rob" <[email protected]>

| Hello,
|
| I have F-prot version 6 (Anti-Virus) loaded on several Windows XP
| systems in our lab.  The Windows XP systems have been configured for
| security auditing (per NISPOM Ch. 8 requirement).  Using event viewer
| to look at the security logs, I'm seeing 8500+ security messages for
| two days worth of usage, of which  94% of them read exactly like the
| printout below.
|
| I'm not sure, but it seems like FPAVserv (f-prot process) might
| running with the user's rights and not running as a system service.
|
| Any thoughts on how I can fix this?
|
| Thanks,
|

< snip >

Interesting.

If you have to follow "NISPOM Ch. 8 requirement", you can't use F-Prot.  It is an unapproved
anti virus solution.

The requirements are only for the DISA approved anti virus solutions underthe DISA DoD wide
license which include only;  Trend Micro, Symantec and MCafee.

Hello Dave,

Contractors are governed by DSS. Their regulation reads:

DoD 5220.22-M, February 28, 2006

8-305. Malicious Code. Policies and procedures to detect and deter
incidents caused by malicious code, such as viruses or unauthorized
modification to software, shall be implemented. All files must be
checked for viruses before being introduced on an IS and checked for
other malicious code as feasible. The use of personal or public domain
software is strongly discouraged. Each installation of such software
must be approved by the ISSM.

I have F-Prot listed in my protection profile and I have an ATO letter
in-hand. I haven't read anything on DSS's website stating that a
particular piece of anti-virus software has to be used; at least not
for our classification level.

Not that any of that matters anyway. Any thoughts on the message I
posted?

Thanks,

Rob

 

[Malke]

Contact F-Prot tech support. Although they may take a day or so to answer
(time difference between US and Iceland), my experience with them is that
they are very responsive.

Malke

 

[David H. Lipman]

From: "Rob" <[email protected]>


|
| Hello Dave,
|
| Contractors are governed by DSS. Their regulation reads:
|
| DoD 5220.22-M, February 28, 2006
|
| 8-305. Malicious Code. Policies and procedures to detect and deter
| incidents caused by malicious code, such as viruses or unauthorized
| modification to software, shall be implemented. All files must be
| checked for viruses before being introduced on an IS and checked for
| other malicious code as feasible. The use of personal or public domain
| software is strongly discouraged. Each installation of such software
| must be approved by the ISSM.
|
| I have F-Prot listed in my protection profile and I have an ATO letter
| in-hand. I haven't read anything on DSS's website stating that a
| particular piece of anti-virus software has to be used; at least not
| for our classification level.
|
| Not that any of that matters anyway. Any thoughts on the message I
| posted?
|
| Thanks,
|
| Rob

Contractors are not covered under the DISA DoD wide anti virus contract. Therfore F-Prot
fits the bill.

I'll find out what I can about what you originally posted through my contacts.