Ada beberapa sesi "Anonim logon" acak yang terjadi sesekali dari 3 mesin di perusahaan kami, 3 mesin di sekitar 1000.
Saya memiliki edisi windows 7 enterprise 64 bit. Saya sudah menginstal semua pembaruan. Saya seorang pengembang perangkat lunak dan dijalankan sebagai administrator.
Setiap komputer di perusahaan kami, termasuk komputer saya, memasang McAfee sebagai antivirus.
Saya bertanya-tanya apa yang bisa menjadi alasan untuk logon anonim tersebut (virus atau apa pun)? Jika itu adalah virus, mengapa McAfee tidak menemukannya dan bagaimana saya bisa mengidentifikasinya?
================================================== =================
Informasi tambahan:
Perbarui: seorang teman menemukan tautan yang bermanfaat tetapi tidak menjawab penyebabnya: StackExchange-ServerFault Login anonim tak terduga di log keamanan Windows
Saya menginstal NetShareMonitor 1.0 dari NagMatrix. Ini adalah log sesi:
***************************************************************
Nov 14 13:23:07 2014 : Session logging started
Nov 14 13:23:39 2014 : Session logging is stopped
***************************************************************
Nov 14 13:23:42 2014 : Session logging started
Nov 14 15:53:05 2014 : Session logging is stopped
***************************************************************
Nov 14 15:54:48 2014 : Session logging started
***************************************************************
Nov 17 09:52:42 2014 : Session logging started
Nov 17 10:03:12 2014 : Session logging is stopped
***************************************************************
Nov 17 10:03:38 2014 : Session logging started
**************************************************************
Nov 17 11:47:10 2014 : Session logging started
***************************************************************
Nov 17 12:08:44 2014 : Session logging started
Nov 17 12:08:47 2014 : Session logging is stopped
***************************************************************
Nov 17 12:56:52 2014 : Session logging started
Nov 17 17:02:08 2014 : User ANONYMOUS LOGON is connected from host PW141850
Nov 17 17:02:32 2014 : User ANONYMOUS LOGON is disconnected from host PW141850
Nov 17 17:04:53 2014 : Session logging is stopped
***************************************************************
Nov 17 17:34:11 2014 : Session logging started
Nov 18 09:28:52 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:29:03 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:29:14 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:29:27 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:44:35 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:44:51 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:45:07 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:45:21 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:58:14 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:58:39 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 13:13:57 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 18 13:14:11 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 18 15:00:14 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 18 15:00:28 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 19 07:18:20 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 19 07:18:30 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 19 08:35:29 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 19 08:35:42 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Ini adalah contoh dari penampil acara (setiap tampilan login anonim menyukai hal yang sama tetapi port pada akhirnya berubah dari ~ 50000 - ~ 65000):
+ System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2014-11-18T20:00:14.982414900Z
EventRecordID 784005
Correlation
- Execution
[ ProcessID] 760
[ ThreadID] 884
Channel Security
Computer PD130812.ireq.ca
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-7
TargetUserName ANONYMOUS LOGON
TargetDomainName AUTORITE NT
TargetLogonId 0x3caeef0
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName PWS00126
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName NTLM V1
KeyLength 128
ProcessId 0x0
ProcessName -
IpAddress **IP of offending machine**
IpPort 59017