Event ID 5156 filling up event logs. Probably due to anti-virus software (SEP 11)
I noticed event ID 5156 is filling up my event logs. It logs one or two of these events literally every 2-3 seconds. Now my security logs are useless. I run SEP 11 which takes control of the windows firewall as well uses its own fire wall. I googled and
found that anti-virus software can be responsible for this behavior (like macaffee) and saw how I could disable logging of this event with auditpol.
My question is how can I be sure that this is my anti-virus software doing this? I can't see anywhere in the log itself something that would link this to my antivirus product. The source address listed is always the broadcast address of my subnet and the
destination is any computer I make ANY network connection to (file servers, DCs, etc).
Here is what I am seeing:
The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: mybroadcast.address.for.subnet
Source Port: 137
Destination Address: IP.of.destination.PC
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
I haven't really found to much info on event ID 5156, or at least info I can make
that much sense of. Would I ever really need this event to be logged? And why would my anti-virus software cause so many of these events?
June 16th, 2011 8:54am
I don't know why I didn't think of this before, but I just disabled my AV software and this is still happening.
Is there possibly some auditing setting for windows firewall I might have turned on?
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2011 11:21am
Hi,
This would be caused by the following Security Auditing policy:
Audit Filtering Platform Connection
Hope it helps.
Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 20th, 2011 6:12am
This didn't really answer the question. I am getting the same thing, but I'm wondering how to determine what it means by System, as there are no services associated with System, and why both source and destination ports are 137. How can we
determine what process or service is creating these logs with this information. Thanks.
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 3:18pm