locked
Event ID 5156 filling up event logs. Probably due to anti-virus software (SEP 11) RRS feed

  • Question

  • I noticed event ID 5156 is filling up my event logs. It logs one or two of these events literally every 2-3 seconds. Now my security logs are useless. I run SEP 11 which takes control of the windows firewall as well uses its own fire wall. I googled and found that anti-virus software can be responsible for this behavior (like macaffee) and saw how I could disable logging of this event with auditpol.

    My question is how can I be sure that this is my anti-virus software doing this? I can't see anywhere in the log itself something that would link this to my antivirus product. The source address listed is always the broadcast address of my subnet and the destination is any computer I make ANY network connection to (file servers, DCs, etc).

    Here is what I am seeing:

    The Windows Filtering Platform has permitted a connection.
    
    Application Information:
    	Process ID:		4
    	Application Name:	System
    
    Network Information:
    	Direction:		Inbound
    	Source Address:		mybroadcast.address.for.subnet
    	Source Port:		137
    	Destination Address:	IP.of.destination.PC
    	Destination Port:		137
    	Protocol:		17
    
    Filter Information:
    	Filter Run-Time ID:	0
    	Layer Name:		Receive/Accept
    	Layer Run-Time ID:	44

    I haven't really found to much info on event ID 5156, or at least info I can make that much sense of. Would I ever really need this event to be logged? And why would my anti-virus software cause so many of these events?

    Thursday, June 16, 2011 12:54 PM

Answers

  • Hi,

     

    This would be caused by the following Security Auditing policy:

     

    Audit Filtering Platform Connection

     

    Hope it helps.

     

    Alex Zhao


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Cloud_TS Wednesday, June 29, 2011 1:11 AM
    Monday, June 20, 2011 10:12 AM

All replies

  • I don't know why I didn't think of this before, but I just disabled my AV software and this is still happening.

    Is there possibly some auditing setting for windows firewall I might have turned on?

    Friday, June 17, 2011 3:21 PM
  • Hi,

     

    This would be caused by the following Security Auditing policy:

     

    Audit Filtering Platform Connection

     

    Hope it helps.

     

    Alex Zhao


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Cloud_TS Wednesday, June 29, 2011 1:11 AM
    Monday, June 20, 2011 10:12 AM
  • This didn't really answer the question.  I am getting the same thing, but I'm wondering how to determine what it means by System, as there are no services associated with System, and why both source and destination ports are 137.  How can we determine what process or service is creating these logs with this information.  Thanks.
    Thursday, June 21, 2012 7:07 PM
  • Hi

    Event Id 5156 mean windows firewall is allowing a connection to host and to eliminate this pls logs cmd and type the command

    apply for win 2008 / 2008 R2 and Vista

    auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

    for more information

    http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx


    RaSa


    • Proposed as answer by Syed_Rabbani Saturday, May 4, 2013 10:23 AM
    • Edited by Syed_Rabbani Saturday, May 4, 2013 10:25 AM rectify
    Saturday, May 4, 2013 10:22 AM