Flooded security event log

Discussion in 'ESET NOD32 Antivirus' started by Xarx, Jan 6, 2011.

Thread Status:
Not open for further replies.
  1. Xarx

    Xarx Registered Member

    Joined:
    Dec 12, 2010
    Posts:
    14
    Hello,

    I have a notebook with Windows7 x64 Enterprise and NOD32 Antivirus Business 4.2.58.5. Every second *hundereds* of events "A Windows Filtering Platform filter has been changed" flood my security event log.

    I searched for the source of these messages, and the events are produced by svchost.exe that hosts the following services:
    - Windows Firewall
    - Diagnostic Policy Service
    - Base Filtering Engine
    Hence I assume that the third service is the source. And NOD32 is known as a significant user of this service.

    What is wrong? (See the event content at the end of this post.)

    Recently (20 min. ago) the masses of above mentioned "Audit Success" messages stopped and were replaced by tuples of "Audit Failure" messages, in average one in 2 mins. Perhaps the system wasn't able to consume so many changes in filter rules?

    Audit Failure:
    ---------------------------
    Windows Firewall did not apply the following rule:

    Rule Information:
    ID: CoreNet-Teredo-In
    Name: Core Networking - Teredo (UDP-In)

    Error Information:
    Reason: Local Port resolved to an empty set.
    ---------------------------
    Windows Firewall did not apply the following rule:

    Rule Information:
    ID: CoreNet-IPHTTPS-In
    Name: Core Networking - IPHTTPS (TCP-In)

    Error Information:
    Reason: Local Port resolved to an empty set.
    ---------------------------

    and once:
    ---------------------------
    A privileged service was called.

    Subject:
    Security ID: LOCAL SERVICE
    Account Name: LOCAL SERVICE
    Account Domain: NT AUTHORITY
    Logon ID: 0x3e5

    Service:
    Server: Security
    Service Name: -

    Process:
    Process ID: 0x3e8
    Process Name: C:\Windows\System32\svchost.exe

    Service Request Information:
    Privileges: SeLoadDriverPrivilege
    ---------------------------



    Audit Success:
    ---------------------------
    A Windows Filtering Platform filter has been changed.

    Subject:
    Security ID: LOCAL SERVICE
    Account Name: NT AUTHORITY\LOCAL SERVICE

    Process Information:
    Process ID: 1600

    Provider Information:
    ID: {decc16ca-3f33-4346-be1e-8fb4ae0f3d62}
    Name: Microsoft Corporation

    Change Information:
    Change Type: Delete

    Filter Information:
    ID: {b3390ab8-8637-4c67-9e0b-991a32b756d0}
    Name: Boot Time Filter
    Type: Not persistent
    Run-Time ID: 81639

    Layer Information:
    ID: {4a72393b-319f-44bc-84c3-ba54dcb3b6b4}
    Name: ALE Connect v6 Layer
    Run-Time ID: 50

    Callout Information:
    ID: {00000000-0000-0000-0000-000000000000}
    Name: -

    Additional Information:
    Weight: 18446744073709551615
    Conditions:
    Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
    Match value: Equal to
    Condition value: 0x3a

    Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
    Match value: Equal to
    Condition value: 0x0085

    Condition ID: {6ec7f6c4-376b-45d7-9e9c-d337cedcd237}
    Match value: Equal to
    Condition value: 0x03

    Condition ID: {97537c6c-d9a3-4767-a381-e942675cd920}
    Match value: Equal to
    Condition value: 0x00000083

    Condition ID: {72b1a111-987b-4720-99dd-c7c576fa2d4c}
    Match value: Equal to
    Condition value: 0x0000000e

    Condition ID: {46ea1551-2255-492b-8019-aabeee349f40}
    Match value: Equal to
    Condition value: 0x00000002

    Condition ID: {ab3033c9-c0e3-4759-937d-5758c65d4ae3}
    Match value: Equal to
    Condition value: 0x00000003

    Filter Action: Permit
    ---------------------------

    Thank you,
    Martin.
     
  2. Xarx

    Xarx Registered Member

    Joined:
    Dec 12, 2010
    Posts:
    14
    After some research I can say that the "Audit Failure" events are unrelated, and need not be considered here in this forum.

    However the problem with the "A Windows Filtering Platform filter has been changed" event flooding still remains. Since my first post, the flooding occured twice again, the first time it produced about 3500 identical events in 2 seconds, in the second case it produced about 1000 events in 4 seconds. With this speed, my security log is filled up in hours (the oldest record in this 20MB log is 5 hours old).

    Any hint? Can you confirm, at least, that this problem is related to NOD32?

    Thank you,
    Martin.


    EDIT: The events are not completely identical. The FilterName (and FilterId and further details) change, e.g.:

    FilterName=NetBIOS Datagram Service, LayerName=ALE Receive/Accept v4 Layer, or ALE Resource Assignment v4 Layer, or ALE Resource Assignment v6 Layer
    FilterName=Remote Administration (NP-In), LayerName=ALE Listen v6 Layer, or ALE Receive/Accept v4 Layer, or ALE Listen v4 Layer
    FilterName=Remote Administration (RPC-EPMAP), LayerName=ALE Receive/Accept v6 Layer
    FilterName=Networking - Router Solicitation (ICMPv4-In), LayerName=Inbound ICMP Error v4 Layer
    FilterName=Microsoft Office Groove, LayerName=ALE Resource Assignment v6 Layer, or ALE Receive/Accept v4 Layer

    etc., LayerName are very similar, FilterName seem to range all protocols.
     
    Last edited: Jan 6, 2011
  3. MattJN

    MattJN Former ESET Support Rep

    Joined:
    Feb 19, 2010
    Posts:
    149
    Hello,

    Does your ESET antivirus installation seem to have all modules running and is the protection status showing maximum protection?

    If so, please try increasing the logging on the client to diagnostic level by opening the GUI, press F5 for advanced setup, then on the left locate Tools > Log files, then click to highlight Log files. Adjust the minimum logging verbosity to Diagnostic records, then click ok. Watch for a flood of the messages into your security event log, then open the events log in the NOD32 GUI to see if there is any information logged there.

    Have you tried an uninstall/reinstall of EAV to see if that makes a difference?
     
  4. Xarx

    Xarx Registered Member

    Joined:
    Dec 12, 2010
    Posts:
    14
    I've turned on the NOD32 diagnostic logging, and waited till the "flooding" occured again for several times. Unfortunately, there are no records in the NOD32 log that correspond to the "A Windows Filtering Platform filter has been changed" events. :( Does this exclude NOD32 as a source of the troubles? As I mentioned earlier, the "Base Filtering Engine" seems to me as the most probable source of the events, but the "Windows Firewall" service might be the source as well.

    Any idea?

    Thank you,
    Martin.

    EDIT: I didn't try to reinstall the antivirus as this is not a computer of mine, so I do not own the licence. However, I turned off the e-mail and web modules of NOD32, but the flooding didn't stop. Is the module turn-off sufficient to completely disable all module activities, even those not related to communication monitoring?
     
    Last edited: Jan 6, 2011
  5. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    You can export the settings to a .xml file before you reinstall. That way you won't have to worry about the license.

    Jim
     
Thread Status:
Not open for further replies.