Clear Text Authentication via MgntSvc.exe

Hello Tejas,

our server where Sophos central is installed
Central is Central and managed in the Cloud. MgntSvc.exe belongs to the on-premise SESC management server (aka SEC) and the appropriate forum would be Sophos Enterprise Console.
What's the user that is logging on? The service runs as LOCAL SYSTEM and IIRC it impersonates the database user to access the database.

Christian

Thanks Chris for the information.

yes it was LOCAL SYSTEM only, user is not involved in this process log.

EventCode=4624

AccountName=SophosManagement 

Regards,

Tejas

Hello Tejas,

how often do you see it?
I assume SophosManagement is the so-called Database User. I don't really have an idea when this happens or could happen ... or why this is a Network Logon. There are many details in these events and usually you need to know (almost) all of them to understand their meaning.

Christian

Hi Chris,

It was captured as a part of windows audit logs.

We have implemented a use case in Splnuk to capture eventID with specific network logon (for this process, it is 8 means clear text authentication). The most common types are 2 (interactive) and 3 (network).

I don't capture any other important parameter in Splunk logs.

And the frequency of this event is once in a day.

Also I have a query, whenever communication happens between SEC agent (or whatever term you use where SEC is installed) and management server, what all info will be exchanged?

Regards,

Tejas 

Hi Chris,

It was captured as a part of windows audit logs.

We have implemented a use case in Splnuk to capture eventID with specific network logon (for this process, it is 8 means clear text authentication). The most common types are 2 (interactive) and 3 (network).

I don't capture any other important parameter in Splunk logs.

And the frequency of this event is once in a day.

Also I have a query, whenever communication happens between SEC agent (or whatever term you use where SEC is installed) and management server, what all info will be exchanged?

Regards,

Tejas 

Hello Tejas,

[disclaimer: I'm not Sophos]
once in a day
hm, interesting. As I'm not Sophos I can't tell what SEC is doing. Support might be able to tell you (and anyway I'll enable auditing and try to capture this event, still inquisitive).

between SEC agent [...} and management server
SEC usually refers to the management server and its components, the product is/was called SESC, the managed computers are normally called endpoints (whether server, desktop, or laptop). There's a service calls Sophos Agent that's present on all machines that acts as communication hub but this is likely not what you mean. Are you asking about what information the endpoints, i.e. the computers where Sophos (Anti-Virus, Endpoint Protection, or whatever name is hip) send to the management server?

Christian

Hi Tejas,

This looks pretty relevant to this part of the KBA on reasons why Management Service wouldn't start. So, the password itself is obfuscated internally by SEC using its obfuscation utility as explained under Technical Information Section of this KBA on the User Accounts used by SEC.  Should you find any anomalies like Password visible as clear text (un obfuscated) then this should do the trick for you, although the password is usually obfuscated and stored in registry already. In case you face any further concerns on the same, please feel free to involve support to further dig into this in detail to understand this behavior! Kindly please open a support case with us using this link.