This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clear Text Authentication via MgntSvc.exe

Hi,

I could see clear text authentication (logon type 8) with event code 4624 (Logon successful) via Splunk on our server where Sophos central is installed and process name is MgntSvc.exe, might be communicating with management server on timely basis.

Is there anyway Sophos Central can encrypt the password while communicating with management server?

 

Regards,
Tejas



This thread was automatically locked due to age.
Parents
  • Hello Tejas,

    our server where Sophos central is installed
    Central is Central and managed in the Cloud. MgntSvc.exe belongs to the on-premise SESC management server (aka SEC) and the appropriate forum would be Sophos Enterprise Console.
    What's the user that is logging on? The service runs as LOCAL SYSTEM and IIRC it impersonates the database user to access the database.

    Christian

  • Thanks Chris for the information.

    yes it was LOCAL SYSTEM only, user is not involved in this process log.

    EventCode=4624

    AccountName=SophosManagement 

     

    Regards,

    Tejas

  • Hello Tejas,

    how often do you see it?
    I assume SophosManagement is the so-called Database User. I don't really have an idea when this happens or could happen ... or why this is a Network Logon. There are many details in these events and usually you need to know (almost) all of them to understand their meaning.

    Christian

  • Hi Chris,

    It was captured as a part of windows audit logs.

    We have implemented a use case in Splnuk to capture eventID with specific network logon (for this process, it is 8 means clear text authentication). The most common types are 2 (interactive) and 3 (network).

    I don't capture any other important parameter in Splunk logs.

    And the frequency of this event is once in a day.

    Also I have a query, whenever communication happens between SEC agent (or whatever term you use where SEC is installed) and management server, what all info will be exchanged?

     

    Regards,

    Tejas 

  • Hello Tejas,

    [disclaimer: I'm not Sophos]
    once in a day
    hm, interesting. As I'm not Sophos I can't tell what SEC is doing. Support might be able to tell you (and anyway I'll enable auditing and try to capture this event, still inquisitive).

    between SEC agent [...} and management server
    SEC usually refers to the management server and its components, the product is/was called SESC, the managed computers are normally called endpoints (whether server, desktop, or laptop). There's a service calls Sophos Agent that's present on all machines that acts as communication hub but this is likely not what you mean. Are you asking about what information the endpoints, i.e. the computers where Sophos (Anti-Virus, Endpoint Protection, or whatever name is hip) send to the management server?

    Christian

Reply
  • Hello Tejas,

    [disclaimer: I'm not Sophos]
    once in a day
    hm, interesting. As I'm not Sophos I can't tell what SEC is doing. Support might be able to tell you (and anyway I'll enable auditing and try to capture this event, still inquisitive).

    between SEC agent [...} and management server
    SEC usually refers to the management server and its components, the product is/was called SESC, the managed computers are normally called endpoints (whether server, desktop, or laptop). There's a service calls Sophos Agent that's present on all machines that acts as communication hub but this is likely not what you mean. Are you asking about what information the endpoints, i.e. the computers where Sophos (Anti-Virus, Endpoint Protection, or whatever name is hip) send to the management server?

    Christian

Children
No Data