locked
How to Resolve Security Event ID 861? RRS feed

  • Question

  • Hi Guys,

    I'm having a problem on my Event Viewer in which it fills up with a Failure Audit every time I logon. I've already searched for the solution on other site but they only suggest turning off the Failure Notification or disabling the Windows Firewall. I dont accept this solution because it only hides what the problem is, instead, I want to know the real cause.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Detailed Tracking 
    Event ID: 861
    Date:  6/17/2009
    Time:  8:21:05 AM
    User:  NT AUTHORITY\SYSTEM
    Computer: Server1
    Description:
    The Windows Firewall has detected an application listening for incoming traffic. 
     
    Name: - 
    Path: C:\WINDOWS\system32\lsass.exe 
    Process identifier: 444 
    User account: SYSTEM 
    User domain: NT AUTHORITY 
    Service: Yes 
    RPC server: No 
    IP version: IPv4 
    IP protocol: UDP 
    Port number: 21000 
    Allowed: No 
    User notified: No

    BTW, I have Symantec installed on my computer and the Windows Firewall is disabled.

    Thursday, July 19, 2012 8:39 AM

Answers

  • Look at the cause; this event is telling you that something is unexpectedly listening on your computer. Look at the individual message; it will identify four important items: process name/path, process id, port, and protocol. The first thing to be concerned about is if the host has been compromised, so run scans (offline preferably) looking for viruses and malware. If you are clean, then determine if the listening process is valid for the host. In the case of LSASS, if you are sharing objects (files, printers, etc) then make sure you have all the latest Microsoft patches (specifically MS04-011), run a vulnerability scan to be sure, (try Foundstone DSScan) and if you are all clean, then make the listening program an exception in your Windows-based firewall. The same process is valid for any of the other 861 messages; inspect your host, evaluate the listening process, double check OS patches, then either disable the listening process or make the appropriate entry in your firewall to allow it to do the job it is listening for. Please do not turn off your firewall or auditing policies (especially failures); they are there for a reason

    DushYant

    Wednesday, July 25, 2012 8:25 AM