Время от времени происходит случайный сеанс "анонимного входа" с 3 машин в нашей компании, с 3 машин на 1000.
У меня Windows 7 Enterprise 64-разрядная версия. У меня установлены все обновления. Я разработчик программного обеспечения и работаю администратором.
На каждом компьютере в нашей компании, включая мой, McAfee установлен как антивирус.
Интересно, в чем может быть причина этих анонимных входов в систему (вирус или что-то еще)? Если это вирус, почему McAfee не находит его и как я могу его идентифицировать?
================================================== =================
Дополнительная информация:
Обновление: друг нашел полезную ссылку, но она не отвечает на причину: StackExchange-ServerFault Неожиданный анонимный вход в журналы безопасности Windows
Я установил NetShareMonitor 1.0 из NagMatrix. Это журнал сеанса:
***************************************************************
Nov 14 13:23:07 2014 : Session logging started
Nov 14 13:23:39 2014 : Session logging is stopped
***************************************************************
Nov 14 13:23:42 2014 : Session logging started
Nov 14 15:53:05 2014 : Session logging is stopped
***************************************************************
Nov 14 15:54:48 2014 : Session logging started
***************************************************************
Nov 17 09:52:42 2014 : Session logging started
Nov 17 10:03:12 2014 : Session logging is stopped
***************************************************************
Nov 17 10:03:38 2014 : Session logging started
**************************************************************
Nov 17 11:47:10 2014 : Session logging started
***************************************************************
Nov 17 12:08:44 2014 : Session logging started
Nov 17 12:08:47 2014 : Session logging is stopped
***************************************************************
Nov 17 12:56:52 2014 : Session logging started
Nov 17 17:02:08 2014 : User ANONYMOUS LOGON is connected from host PW141850
Nov 17 17:02:32 2014 : User ANONYMOUS LOGON is disconnected from host PW141850
Nov 17 17:04:53 2014 : Session logging is stopped
***************************************************************
Nov 17 17:34:11 2014 : Session logging started
Nov 18 09:28:52 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:29:03 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:29:14 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:29:27 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:44:35 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:44:51 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:45:07 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:45:21 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 09:58:14 2014 : User ANONYMOUS LOGON is connected from host PD140084
Nov 18 09:58:39 2014 : User ANONYMOUS LOGON is disconnected from host PD140084
Nov 18 13:13:57 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 18 13:14:11 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 18 15:00:14 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 18 15:00:28 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 19 07:18:20 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 19 07:18:30 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Nov 19 08:35:29 2014 : User ANONYMOUS LOGON is connected from host PWS00126
Nov 19 08:35:42 2014 : User ANONYMOUS LOGON is disconnected from host PWS00126
Это пример из просмотра событий (каждый анонимный логин выглядит одинаково, но порт в конце меняется с ~ 50000 - ~ 65000):
+ System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2014-11-18T20:00:14.982414900Z
EventRecordID 784005
Correlation
- Execution
[ ProcessID] 760
[ ThreadID] 884
Channel Security
Computer PD130812.ireq.ca
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-7
TargetUserName ANONYMOUS LOGON
TargetDomainName AUTORITE NT
TargetLogonId 0x3caeef0
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName PWS00126
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName NTLM V1
KeyLength 128
ProcessId 0x0
ProcessName -
IpAddress **IP of offending machine**
IpPort 59017