Firewall Events and Other 800-series Events... Expand / Collapse
Author
Message
Posted 3/5/2012 4:29:17 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/22/2014 9:32:17 AM
Posts: 7, Visits: 12
Have you any data on Events 849, 850, 852, 855, 858, and 860? These events appear to be related to the firewall and network.

Any assistance would be appreciated.
Post #954
Posted 3/5/2012 8:18:19 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/22/2014 9:32:17 AM
Posts: 7, Visits: 12
whsmith (3/5/2012)
Yes an explanation of these events can be found in the encyclopedia. For example, event ID 849 is at http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=849


Thank you, whsmith. I misspoke on events 849 and 850--they are present. However, the others that I mentioned, 851, 852, 855, and 858 are not. Yet, they appear to be valid Security event IDs.

Suggestions?

Comment(s) from the site's content manager are welcome as well.
Post #961
Posted 3/10/2012 8:49:05 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/22/2014 9:32:17 AM
Posts: 7, Visits: 12
whsmith (3/8/2012)
Event 852 can be found at http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=852

We did find some documentation of the other events at http://technet.microsoft.com/en-us/library/bb457029.aspx(XP SP 2 is no longer supported.) Have you actually seen these events?

[size=5]
Thanks for the TechNet link--very helpful.

Yes, I have examples of several of these, listed below, that you may add to your database. The event descriptions at the TechNet link that you provided are somewhat consistent and add clarity to the example events.

You will see a short event description for each, followed by event data in XML, since "Friendly" view wasn't so friendly. All of these examples come from one Security Event Log from a compromised system. Note: Of 275,202 entries, event 858 constituents comprise over 90% of the total events contained in the log. No examples of 853 or 861 are present.

If you believe any of these events, in particular, warrant further scrutiny from a security standpoint by virtue of their presence, please, feel free to point them out.

Thank you, again, for your help.

849 - A rule was listed when the Windows Firewall started:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"
- System
Provider Name="Security" />
EventID Qualifiers="0">849
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2010-10-16T06:13:17.000000000Z" />
EventRecordID>248909
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxxx
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Local Policy
Data>Domain
Data>Network Diagnostics for Windows XP
Data>%windir%\Network Diagnostic\xpnetdiag.exe
Data>Enabled
Data>All subnets
/EventData>
/Event>

850 - A change has been made to Windows Firewall exception list. A rule was added:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">850
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2010-05-15T06:08:20.000000000Z" />
EventRecordID>189837
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxx
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Local Policy
Data>Domain
Data>All interfaces
Data>Windows Remote Management
Data>5985
Data>TCP
Data>Disabled
Data>All subnets
/EventData>
/Event>

851 - A change has been made to Windows Firewall exception list. A rule was modified:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">851
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2009-01-27T07:08:19.000000000Z" />
EventRecordID>32601
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxx
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Local Policy
Data>Domain
Data>Remove
Data>-
Data>-
Data>-
Data>-
Data>McAfee Framework Service
Data>C:\Program Files\McAfee\Common Framework\FrameworkService.exe
Data>Disabled
Data>All subnets
/EventData>
/Event>

852 - A change has been made to Windows Firewall exception list. A rule was deleted:
- Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">852
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2010-05-30T06:09:07.000000000Z" />
EventRecordID>195366
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxx
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Group Policy
Data>Domain
Data>All interfaces
Data>Modify
Data>Remote Desktop
Data>3389
Data>TCP
Data>Enabled
Data>All subnets
Data>Remote Desktop
Data>3389
Data>TCP
Data>Disabled
Data>All subnets
/EventData>

854 - A Windows Firewall setting has changed:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">854
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2009-06-23T06:09:41.000000000Z" />
EventRecordID>78418
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxx
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Group Policy
Data>Domain
Data>Enabled
Data>Enabled
Data>Disabled
Data>Disabled
/EventData>
/Event>

855 - A rule has been ignored because its major version number was not recognized by Windows Firewall:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">855
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2010-07-02T06:19:33.000000000Z" />
EventRecordID>205059
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxx
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Group Policy
Data>Standard
Data>All interfaces
Data>Allow incoming echo request
Data>Disabled
Data>Enabled
/EventData>
/Event>

856 - A rule has been partially ignored because its minor version number was not recognized by Windows Firewall:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">856
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2010-03-13T07:13:47.000000000Z" />
EventRecordID>167815
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxx
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Group Policy
Data>Domain
Data>Disabled
Data>Enabled
/EventData>
/Event>

857 - A rule has been rejected by Windows Firewall:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">857
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2010-09-28T06:10:12.000000000Z" />
EventRecordID>233727
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxx
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Group Policy
Data>Standard
Data>Disabled
Data>Enabled
/EventData>
/Event>

858 - The Windows Firewall group policy settings have been removed:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">858
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2009-09-01T07:50:34.000000000Z" />
EventRecordID>100953
Channel>C:\INC165072 - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001501158
Security UserID="S-1-5-18" />
/System>
EventData />
/Event>

859 - The Windows Firewall group policy settings have been removed:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">859
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2010-03-13T07:13:46.000000000Z" />
EventRecordID>167799
Channel>C:\Ixxxxx - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001xxx
Security UserID="S-1-5-18" />
/System>
EventData />
/Event>

860 - The Windows Firewall has switched the active policy profile:
- Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- System>
Provider Name="Security" />
EventID Qualifiers="0">860
Level>0
Task>6
Keywords>0xa0000000000000
TimeCreated SystemTime="2009-04-28T06:09:49.000000000Z" />
EventRecordID>60608
Channel>C:\INC165072 - DOC\Export\Event Logs\SecEvent.Evt
Computer>CD0001501158
Security UserID="S-1-5-18" />
/System>
- EventData>
Data>Domain
/EventData>
/Event>[/size]
Post #966
Posted 3/13/2012 3:04:49 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/22/2014 9:32:17 AM
Posts: 7, Visits: 12
My thoughts exactly...I have considered and am still investigating possible malicious artifacts as well as Group Policy activity to determine, if possible, which is more likely.

Thanks for your help.
Post #970
Posted 11/8/2012 11:11:10 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 11/8/2012 11:09:32 PM
Posts: 1, Visits: 0
Thanks for the full set of samples. You can also change the group policy along with the settings.

__________________
Windows 7 Firewall Settings
Post #1138
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 2:06am