This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clear Text Authentication via MgntSvc.exe

Hi,

I could see clear text authentication (logon type 8) with event code 4624 (Logon successful) via Splunk on our server where Sophos central is installed and process name is MgntSvc.exe, might be communicating with management server on timely basis.

Is there anyway Sophos Central can encrypt the password while communicating with management server?

 

Regards,
Tejas



This thread was automatically locked due to age.
Parents Reply Children
  • Hello Tejas,

    how often do you see it?
    I assume SophosManagement is the so-called Database User. I don't really have an idea when this happens or could happen ... or why this is a Network Logon. There are many details in these events and usually you need to know (almost) all of them to understand their meaning.

    Christian

  • Hi Chris,

    It was captured as a part of windows audit logs.

    We have implemented a use case in Splnuk to capture eventID with specific network logon (for this process, it is 8 means clear text authentication). The most common types are 2 (interactive) and 3 (network).

    I don't capture any other important parameter in Splunk logs.

    And the frequency of this event is once in a day.

    Also I have a query, whenever communication happens between SEC agent (or whatever term you use where SEC is installed) and management server, what all info will be exchanged?

     

    Regards,

    Tejas 

  • Hello Tejas,

    [disclaimer: I'm not Sophos]
    once in a day
    hm, interesting. As I'm not Sophos I can't tell what SEC is doing. Support might be able to tell you (and anyway I'll enable auditing and try to capture this event, still inquisitive).

    between SEC agent [...} and management server
    SEC usually refers to the management server and its components, the product is/was called SESC, the managed computers are normally called endpoints (whether server, desktop, or laptop). There's a service calls Sophos Agent that's present on all machines that acts as communication hub but this is likely not what you mean. Are you asking about what information the endpoints, i.e. the computers where Sophos (Anti-Virus, Endpoint Protection, or whatever name is hip) send to the management server?

    Christian

  • Hi Tejas,

    This looks pretty relevant to this part of the KBA on reasons why Management Service wouldn't start. So, the password itself is obfuscated internally by SEC using its obfuscation utility as explained under Technical Information Section of this KBA on the User Accounts used by SEC.  Should you find any anomalies like Password visible as clear text (un obfuscated) then this should do the trick for you, although the password is usually obfuscated and stored in registry already. In case you face any further concerns on the same, please feel free to involve support to further dig into this in detail to understand this behavior! Kindly please open a support case with us using this link.

    Regards,

    Adithyan Thangaraj
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.