Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Failure Audit|
The Windows Firewall has detected an application listening for incoming traffic.
Path: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
Process identifier: 3608
User account: myusername
User domain: mydomainname
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1158
User notified: No.
|English: This information is only available to subscribers. An example of English, please!|
I have seen posts for this issue that recommend turning off your firewall or your failure audit policy. Following that advice will just blind you to the symptoms of the issue. Look at the cause; this event is telling you that something is unexpectedly listening on your computer. Look at the individual message; it will identify four important items: process name/path, process id, port, and protocol. The first thing to be concerned about is if the host has been compromised, so run scans (offline preferably) looking for viruses and malware. If you are clean, then determine if the listening process is valid for the host. In the case of LSASS, if you are sharing objects (files, printers, etc) then make sure you have all the latest Microsoft patches (specifically MS04-011), run a vulnerability scan to be sure, (try Foundstone DSScan) and if you are all clean, then make the listening program an exception in your Windows-based firewall. The same process is valid for any of the other 861 messages; inspect your host, evaluate the listening process, double check OS patches, then either disable the listening process or make the appropriate entry in your firewall to allow it to do the job it is listening for. Please do not turn off your firewall or auditing policies (especially failures); they are there for a reason.
I have had the same problem on a Window XP installation. However, I found the solution recommended by Peter Colsch too tough. Windows XP uses the same service for the firewall and for the Internet Connection Sharing as well. Stopping and disabling this service means the ICS will not operate at all. In addition, the real reason for this 861 event flood is not solved. The Firewall/ICS service can be run even if the firewall is switched off by the appropriate Control Panel applet. This has nothing to do with the event flood in reality.
The real reason hides in the audit policy settings. In the installation I am using, the audit policy was set for the default settings. A couple of days ago I entered the computer into a domain. The domain policy however had a different audit policy setting. The "Audit Process Tracking" was switched on to "Failure" to record everything in the case of a failure. From that moment when I made my installation to a member of that domain, the event log was dumped with tons of events 861 saying "The Windows Firewall has detected an application listening for incoming traffic". The incoming traffic was most of the cases the Local Security Authority Service (lsass.exe), sometimes the SQL Manager (sqlmangr.exe) or the svchost itself. It does not matter "who" is that guy making this incoming traffic, it was not significant. The only solution to eliminate this event flood was to switched off the "Audit Process Tracking" audit policy in the domain. It means I have set its value back to the default setting.
Even though Windows XP firewall is "turned off", the service is still running. If your security auditing policy includes auditing of failures for "audit process tracking”, your security event logs will be filling up quickly. If you want the events to go away, the only solutions I have found so far are to turn off the auditing or to stop the Windows Firewall/ICS service. Go to Start -> Run -> services.msc. Find Windows Firewall in the list, double-click on it, set "Startup type" to “Disabled”, and press Stop if it is running.
|Private comment: Subscribers only. See example of private comment|
|Links: Foundstone DSScan|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (2) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated