It now appears to be phoning home when these incidents happen (at least some of the time). [even later edit: I just received a new corporate laptop. UDP DNS responses from the domain controller.The top 3 sources in this case are (in order of decreasing frequency) [later edit: I just dug through the 5152s on this VM. but still reports activity on unexpected ports and reports malformed packets on common ports.doesn't result in the security event log filling up with warnings about DHCP packets (unless those packets contains some kind of exploit) and other common packets. The ideal solution involves Sophos EFW and the Windows firewall infrastructure working together in a way that The thing that happened just before the 5152s started flooding the security event log is that Sophos Endpoint Firewall was installed and started.ĭisabling the message with auditpol seems like the wrong approach to me. I found the first occurrence of a 5152 and examined the application, system and security event logs for events that happened just before this first 5152. I quickly grabbed the security event log contents before they wrapped. I recently received a new VM and today I noticed that 5152s were being logged there. Most of the hits that I have looked at either end with no resolution or end with auditpol. I'm guessing that many of these are Sophos-related and many are not. Googling for " security event 5152" turns up quite a few hits. We see it here on both workstations and servers and across multiple versions of Windows.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |