VigilEnt Security Agent for Windows 2.2
VigilEnt Security Agent for Windows 3.0
VigilEnt Security Agent for Windows 3.1
VigilEnt Security Agent for Windows 3.2
VigilEnt Security Agent for Windows 4.0
False positives are returned for the User account enabled rule in VigilEnt Security Agent for Windows Detect.
The User account by default is set up to alert on the following:
- Logname equal to Security
- messageID equal to 626 OR 642 (which is the message equivalent to Account Enabled)
This alert will trigger when all of the criteria above are met, no matter what event triggered the 626 or 642 to appear the the Security Event Log.
To alert on a specific account, complete the following steps:
- Open the VigilEnt Security Agent for Windows Detect GUI.
- Double-click the User Account Enabled rule and expand it.
- Double-click the Generic Condition, which will open the Condition Tree Frame window.
- Right-click the And box and select Add Comparison.
- Under Event Field, select Message.
- Under Operation, select Match.
- In the Compare to String box, type the user name exactly as it appears in Windows.
- Select the Negate check box to not alert for this user, or leave it unchecked to alert for this user.
- Select Add at the bottom of the box.
- Select the Disc icon at the top of the VigilEnt Security Agent for Windows Detect GUI to save the rule.
Example: To alert on a Guest account enabled, use the following addition to the default rule.
message ~= Guest
This will have the rule look in the message field for anything that matches the string, 'Guest'.