Resolution
fact
VigilEnt Security Agent for Windows 2.2
fact
VigilEnt Security Agent for Windows 3.0
fact
VigilEnt Security Agent for Windows 3.1
fact
VigilEnt Security Agent for Windows 3.2
fact
VigilEnt Security Agent for Windows 4.0
symptom
False positives are returned for the User account enabled rule in VigilEnt Security Agent for Windows Detect.
cause
fix
VigilEnt Security Agent for Windows 2.2
fact
VigilEnt Security Agent for Windows 3.0
fact
VigilEnt Security Agent for Windows 3.1
fact
VigilEnt Security Agent for Windows 3.2
fact
VigilEnt Security Agent for Windows 4.0
symptom
False positives are returned for the User account enabled rule in VigilEnt Security Agent for Windows Detect.
cause
The User account by default is set up to alert on the following:
- Logname equal to Security
- messageID equal to 626 OR 642 (which is the message equivalent to Account Enabled)
This alert will trigger when all of the criteria above are met, no matter what event triggered the 626 or 642 to appear the the Security Event Log.
fix
To alert on a specific account, complete the following steps:
- Open the VigilEnt Security Agent for Windows Detect GUI.
- Double-click the User Account Enabled rule and expand it.
- Double-click the Generic Condition, which will open the Condition Tree Frame window.
- Right-click the And box and select Add Comparison.
- Under Event Field, select Message.
- Under Operation, select Match.
- In the Compare to String box, type the user name exactly as it appears in Windows.
- Select the Negate check box to not alert for this user, or leave it unchecked to alert for this user.
- Select Add at the bottom of the box.
- Select the Disc icon at the top of the VigilEnt Security Agent for Windows Detect GUI to save the rule.
Example: To alert on a Guest account enabled, use the following addition to the default rule.
- AND
message ~= Guest
This will have the rule look in the message field for anything that matches the string, 'Guest'.
Additional Information
Formerly known as NETIQKB31584