Knowledge Base




The EventSentry service uses Microsoft39s LDAP library to resolve GUIDs from Active Directory at startup and during runtime. The port number will vary on different machines and might change during runtime. The Microsoft LDAP library opens up both a TCP and UDP connection upon initialization and connection to the nearest domain controller. T...

KB-ID 148
Category: Security

By default the EventSentry agent runs under the LocalSystem account which has unrestricted access to Operating System resources which ensures that all components of the system can be monitored accurately. You can change the account the agent is running under through the Services application in the Administrative Tools but some manual conf...

KB-ID 184
Category: Security
Applies to: All Versions

By default EventSentry is not affected by the Heartbleed unless SSL is enabled on the builtin PostgreSQL database. See below for a list of all EventSentry components: EventSentry Agent: Does not use OpenSSL not vulnerable EventSentry Heartbeat Agent: Does not use OpenSSL not vulnerable EventSentry Network Services: Does not use Ope...

KB-ID 256
Category: Security
Applies to: 2.93.x to 3.0.1.67

Yes this is only takes a few minutes to configure. Use the EventSentry console toolbar and click Tools Embedded Scripts Make a new script and give it a name that ends with .bat such as blockpetya.bat Select the new script and create its contents on the right. Paste this line: if not exist systemroot\perfc. echo systemro...

KB-ID 354
Category: Security
Applies to: 2.93 and later

Yes this is only takes a few minutes to configure. Use the EventSentry console toolbar and click Tools Embedded Scripts Make a new script and give it a name that ends with .bat such as blockbadrabbit.bat Select the new script and create its contents on the right. Paste these lines: if not exist systemroot\infpub.dat echo ...

KB-ID 368
Category: Security
Applies to: All

Yes. EventSentry39s File Monitoring and Process Tracking features can create SHA256 checksums of monitor or executed files which can be submitted on VirusTotal39s Search tabhttps://www.virustotal.com//home/search to get additional information about the files.

KB-ID 389
Category: Security
Applies to: 3.5 and later

The easiest way to get notified in realtime whenever a user is created in Active Directory is by forwarding MicrosoftWindowsSecurityAuditing event 4720https://system32.eventsentry.com/security/event/4720. This event is logged to the Security event log whenever an Active Directory user is created. More information o...

KB-ID 403
Category: Security

Starting with Windows 10 and Windows Server 2016 you can generate audit events whenever files are written to a removable drive by enabling auditing for the Removable Storage audit subcategory of the Object Access audit category. This will result in 4663https://system32.eventsentry.com/security/event/4663 events being generated whenev...

KB-ID 410
Category: Security
Applies to: 3.5 and later

Emotet https://en.wikipedia.org/wiki/Emotet is dangerous malware that has been infecting networks since 2016 causing serious damage to organizations. The team of JPCERThttps://www.jpcert.or.jp/english/ created Emocheckhttps://github.com/JPCERTCC/EmoCheck/releases a command line utility that detects running emotet processes. This a...

KB-ID 414
Category: Security

Recent CVE advisory CVE20200796https://cve.mitre.org/cgibin/cvename.cginame=CVE20200796 explains a remote code execution vulnerability that exists in the way that the Microsoft Server Message Block 3.1.1 SMBv3 protocol handles certain requests that affect Windows 10 and Windows Server. Microsoft has released a patch for this vulnera...

KB-ID 415
Category: Security

Utilman.exe is the utility program that is launched when the Ease of Access button on the login screen is clicked. At the time of writing it is still vulnerable to be replaced by cmd.exe allowing an attacker to simply reset any user password since the tool is executed with admin rights Infohttps://4sysops.com/archives/resetawindows1...

KB-ID 433
Category: Security
Applies to: 3.5 and later

This guide illustrates how to completely disable WinRM and how to deploy it over the network using the free tool EventSentry Admin Assistanthttps://www.eventsentry.com/adminassistant. 1. Disabling WinRM 2. Network deployment using EventSentry Admin Assistant Disabling WinRM The Windows Remote Management WinRM service is Micro...

KB-ID 436
Category: Security
Applies to: Admin Assistant

EventSentry can detect both successful and unsuccessful ZeroLogon attacks by examing various event patterns on domain computers. To use this package: Download the package using the link shown below Open the EventSentry management console Click on Packages Click on Import Select the ZeroLogon package resource 15

KB-ID 440
Category: Security
Applies to: 4.2.3