False positives are returned for the User account enabled rule in VigilEnt Security Agent for Window (NETIQKB31584)

  • 7731584
  • 02-Feb-2007
  • 12-Nov-2007

Resolution

fact
VigilEnt Security Agent for Windows 2.2

fact
VigilEnt Security Agent for Windows 3.0

fact
VigilEnt Security Agent for Windows 3.1

fact
VigilEnt Security Agent for Windows 3.2

fact
VigilEnt Security Agent for Windows 4.0

symptom
False positives are returned for the User account enabled rule in VigilEnt Security Agent for Windows Detect.

cause

The User account by default is set up to alert on the following:

  • Logname equal to Security
  • messageID equal to 626 OR 642 (which is the message equivalent to Account Enabled)

This alert will trigger when all of the criteria above are met, no matter what event triggered the 626 or 642 to appear the the Security Event Log.



fix

To alert on a specific account, complete the following steps:

  1. Open the VigilEnt Security Agent for Windows Detect GUI.

  2. Double-click the User Account Enabled rule and expand it.

  3. Double-click the Generic Condition, which will open the Condition Tree Frame window.

  4. Right-click the And box and select Add Comparison.

  5. Under Event Field, select Message.

  6. Under Operation, select Match.

  7. In the Compare to String box, type the user name exactly as it appears in Windows.

  8. Select the Negate check box to not alert for this user, or leave it unchecked to alert for this user.

  9. Select Add at the bottom of the box.

  10. Select the Disc icon at the top of the VigilEnt Security Agent for Windows Detect GUI to save the rule.


    Example: To alert on a Guest account enabled, use the following addition to the default rule.

    - AND

    message ~= Guest

    This will have the rule look in the message field for anything that matches the string, 'Guest'.



Additional Information

Formerly known as NETIQKB31584

Feedback service temporarily unavailable. For content questions or problems, please contact Support.