Endpoint Security Humor

Event ID 1100 Event Description The Event Logging Service Has Shut Down Vendor Microsoft Relevant OS Windows Vista, => Windows Server 2008 Vendor Classification Windows Non Audit Event CVE Reference(s) None Bugtraq Reference(s) None Secunia Reference(s) None Event Information Cause : This event logged at time of shutdown Edit or when an automated shutdown is triggered (i.e. Event Log is full).  In MOST cases a log of this activity is logged just before shutdown, however there are some occasions when the Event Logging Service is shutdown prior to this message being generated. Analysis : While Microsoft and many security vendors classify this as “an information event and no user action is required,” we disagree.  In a hacker situation, disabling logging or deleting logging after a compromise is a standard process as to limit awareness of the activity.  These same actions might be taken by a botnet or malware also to cover the tracks.  Clearly this activity also negatively impacts acompanies ability to perform forensics as well. Resolution   Appropriate party should immediately take action to restore logging.  If the change took place outside of authorized process or activity, strong scrutiny should be applied and research should be performed to make sure now malicious activity was taken during the time logging was turned off.   Additional Details   Customers Only.  Shown in the service portal.   Last Reviewed or Updated   4/14/2015 SAVANTURE’s Event Definitions Microsoft Event ID 1100 ©2014 SAVANTURE – Enterprises, vendors and 3rd Parties may freely point users to this content, however content cannot be copied or used outside of this webpage.   If content is framed, this disclaimer must also be included and credited to SAVANTURE, Inc. at www.savanture.com.