Clear Text Authentication via MgntSvc.exe

Hi,

I could see clear text authentication (logon type 8) with event code 4624 (Logon successful) via Splunk on our server where Sophos central is installed and process name is MgntSvc.exe, might be communicating with management server on timely basis.

Is there anyway Sophos Central can encrypt the password while communicating with management server?

 

Regards,
Tejas

  • Hello Tejas,

    our server where Sophos central is installed
    Central is Central and managed in the Cloud. MgntSvc.exe belongs to the on-premise SESC management server (aka SEC) and the appropriate forum would be Sophos Enterprise Console.
    What's the user that is logging on? The service runs as LOCAL SYSTEM and IIRC it impersonates the database user to access the database.

    Christian

  • Hi Tejas Bavara,

    The following KBA would provide some additional information regarding MgntSvc.exe on Sophos Endpoint Security and Control.

    Sophos Enterprise Console: How the Protect Computers Wizard performs an installation on endpoints

     

    Also Please subscribe to the Endpoint Security and Control group so that I can have this thread moved to it for better response. 

  • In reply to QC:

    Thanks Chris for the information.

    yes it was LOCAL SYSTEM only, user is not involved in this process log.

    EventCode=4624

    AccountName=SophosManagement 

     

    Regards,

    Tejas

  • In reply to Tejas Bavarva:

    Hello Tejas,

    how often do you see it?
    I assume SophosManagement is the so-called Database User. I don't really have an idea when this happens or could happen ... or why this is a Network Logon. There are many details in these events and usually you need to know (almost) all of them to understand their meaning.

    Christian

  • In reply to QC:

    Hi Chris,

    It was captured as a part of windows audit logs.

    We have implemented a use case in Splnuk to capture eventID with specific network logon (for this process, it is 8 means clear text authentication). The most common types are 2 (interactive) and 3 (network).

    I don't capture any other important parameter in Splunk logs.

    And the frequency of this event is once in a day.

    Also I have a query, whenever communication happens between SEC agent (or whatever term you use where SEC is installed) and management server, what all info will be exchanged?

     

    Regards,

    Tejas 

  • In reply to Tejas Bavarva:

    Hello Tejas,

    [disclaimer: I'm not Sophos]
    once in a day
    hm, interesting. As I'm not Sophos I can't tell what SEC is doing. Support might be able to tell you (and anyway I'll enable auditing and try to capture this event, still inquisitive).

    between SEC agent [...} and management server
    SEC usually refers to the management server and its components, the product is/was called SESC, the managed computers are normally called endpoints (whether server, desktop, or laptop). There's a service calls Sophos Agent that's present on all machines that acts as communication hub but this is likely not what you mean. Are you asking about what information the endpoints, i.e. the computers where Sophos (Anti-Virus, Endpoint Protection, or whatever name is hip) send to the management server?

    Christian

  • In reply to Tejas Bavarva:

    Hi Tejas,

    This looks pretty relevant to this part of the KBA on reasons why Management Service wouldn't start. So, the password itself is obfuscated internally by SEC using its obfuscation utility as explained under Technical Information Section of this KBA on the User Accounts used by SEC.  Should you find any anomalies like Password visible as clear text (un obfuscated) then this should do the trick for you, although the password is usually obfuscated and stored in registry already. In case you face any further concerns on the same, please feel free to involve support to further dig into this in detail to understand this behavior! Kindly please open a support case with us using this link.