what is the cause for Audit Failure errors in sharepoint servers from Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin\ccSvcHst.exe (Network Steve Forum)

what is the cause for Audit Failure errors in sharepoint servers from Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin\ ccSvcHst.exe

Auditing Failure:

In all sharepoint 2013 servers in event viewer's security section below error found as many times nearly 50,000.

what is the cause for this error and how to solve this error do not come again, in our servers we installed symantec antivirus.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 9/1/2015 10:59:48 AM

Event ID: 4673

Task Category: Sensitive Privilege Use

Level: Information

Keywords: Audit Failure

User: N/A

Computer: PortalBI.portal.com

Description:

A privileged service was called.

Subject:

Security ID: PORTAL\spadmin

Account Name: spadmin

Account Domain: PORTAL

Logon ID: 0xE8A61B

Service:

Server: Security

Service Name: -

Process:

Process ID: 0x3470

Process Name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Bin\ccSvcHst.exe

Service Request Information:

Privileges: SeTcbPrivilege

Event Xml:

<Channel>Security</Channel>

<Computer>PortalBI.portal.com</Computer>

</System>

<Data Name="SubjectUserName">spadmin</Data>

<Data Name="SubjectDomainName">PORTAL</Data>

<Data Name="ObjectServer">Security</Data>

September 1st, 2015 9:00am

It seems that symantac end point protection process ccSvcHst.exe is trying to access portalbi.portal.com and getting access denied resulting in audit failure events.

Do you have set exclusions on SP servers as recommended by Microsoft?

Hope this helps.

Free Windows Admin Tool Kit Click here and download it now

September 1st, 2015 12:49pm

Hi Adil,

I am Chetan Savade from Symantec Technical Support Team.

You are using Symantec Endpoint Protection (SEP RU4 MP1)version. Problem you mentioned is a known issue with previous release, see the details below:

Issue: Windows security log contains multiple entries for ccsvchst.exe Event ID 4673

Fix ID: 3403807

Symptom: After you enable an audit security settings policy, ccSvcHst.exe logs multiple warnings with Event ID 4673 in Windows security event logs.

Solution: Modified the product to use a security identifier (SID) to check for process permissions.

This issue has been fixed in SEP 12.RU5 version, here is the reference article: http://www.symantec.com/docs/TECH224706

SEP 12.1 RU6 MP1a is the latest release, I would recommend to upgrade to the latest version of SEP on affected machine.

Best Regards,
Chetan

Edited by Chetan Savade Wednesday, September 02, 2015 9:10 AM

September 2nd, 2015 9:10am

@Do you have set exclusions on SP servers as recommended by Microsoft?

what are the recommendations for this ? can you provide those details or any technet article describing this?

Free Windows Admin Tool Kit Click here and download it now

September 2nd, 2015 12:26pm

@Chetan Savade

if we upgrade to latest version is this issue solve? without set exclusions on sharepoint servers?

September 2nd, 2015 12:27pm

I believe after an upgrade it should resolve this issue. SEP creates necessary exclusions for Windows & Exchange servers, for Sharepoint i could find microsoft document: https://support.microsoft.com/en-us/kb/952167

Free Windows Admin Tool Kit Click here and download it now

September 3rd, 2015 8:27am

You should be adding exclusions for SP servers. This is not just to remove this error, but it will help in improving performance.

September 3rd, 2015 9:05am

Pls refer following article by Microsoft: https://support.microsoft.com/en-us/kb/952167

Hope this helps.

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 3:19am

This topic is archived. No further replies will be accepted.