Multiple errors recorded in the Security Event logs: Event ID: 560 or 4656
Technical Articles ID:   KB51187
Last Modified:  9/2/2016
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.x

For details of VSE 8.x supported environments, see KB51111.

Problem

Audit errors are logged at every MA Policy enforcement in the Windows Security logs:
Event Type:
Failure Audit
Event Source:
Security
Event Category:
Object Access
Event ID:
560
Date:
dd/mm/yyyy
Time:
hh:mm:ss
User:
<User_Name>
Computer:
<Computer_Name>
Description:
 
Object Open:
Object Server:
Object Type:
Object Name:
Handle ID:
Operation ID:
Process ID:
Image File Name:
Primary User Name:
Primary Domain:
Primary Logon ID:
Client User Name:
Client Domain:
Client Logon ID:
Accesses:
 
Privileges:
Restricted Sid Count: 
Access Mask:
 
<Server Name>
 SERVICE OBJECT
 McShield
-
{0,69318563}
616
C:\WINDOWS\system32\services.exe
<UserName>$
<Domain_Name>
(0x0,0x###)
 
<Client_User_Name>
<Client_Domain>
<Client_Logon_ID>
Query status of service 
Pause or continue the service
-
x##
NOTE: In Windows 2008 and later, this event is reported as Event 4656.

Problem

Audit errors are logged during VSE On-Demand Scan in the Windows Security logs:
 
Event Type:
Failure Audit
Event Source:
Security
Event Category:
Object Access
Event ID:
4656
Date:
dd/mm/yyyy
Time:
hh:mm:ss
User:
<User_Name>
Computer:
<Computer_Name>
Description:
 
Object Open:
Object Server:
Object Type:
Object Name:
Handle ID:
 
Process ID:
Process Name:
 
Accesses:



WriteAttributes:
Privileges:
Restricted Sid Count: 
Access Mask:
 
Security
 File
 C:\Boot\en-US\bootmgr.exe.mui
0x0

0x67c
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe

SYNCHRONIZE:
ReadAttributes
WriteAttributes

Not granted


0
0x100180

Solution

This issue where these events are generated during MA policy enforcement was first resolved in VSE 8.8 Patch 2.

This is expected behavior if the same events are generated during a VSE On-Demand Scan. The events are generated when the On-Demand Scanner attempts to preserve the "last access time" of the files it scans.

VSE 8.8 Patch 11 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.

NOTE: VSE 8.8 Patch 11 supports all supported Windows operating systems.

Workaround

In the Security log, disable the ability to display Failure Audit errors:
  1. Click StartRun, type eventvwr.msc, and press ENTER to launch Windows Event Viewer.
  2. Right-click Security Log and select Properties.
  3. Click the Filter tab and deselect Failure Audit.
  4. Click Apply, OK.
  5. Close the Event Viewer.
 

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.