I believe that the EPO agent runs as a service, under System, but to talk back to the repository it uses an user account, which is where you are seeing the login. If the Framework account was logon as service you would see a logon type (I believe 5 (Logon as service)) but since this Agent needs to interact with the desktop, etc etc it hits logon-type (2), a Logon type 3 to talk to the mothership for the AV updates, and why RDP of Type 10 tho, the AV account shouldn't be trying to RDP into anything.
Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: David Lum [mailto:[email protected]] Sent: Friday, June 05, 2009 11:45 AM To: NT System Admin Issues Subject: McAfee agent and logon type 2 I am still searching McAfee forums, but does anyone here use McAfee ePO and use a GPO to minimize cached credentials? Our laptops have a cached logon setting of 1 (and have for over a year) and recently (last 2 months only) they are getting locked out, and troubleshooting has it looking like the ePO agent on the system is doing it - viewing security logs it shows a logon type of 2 which is an interactive logon as you'd expect to see if one is sitting at the keyboard. A shared network logon type is 3 and an RDP one is 10, but many (if not all) of our McAfee managed systems have entries for the logon type of 2 for our anti-virus service account. I recently patched our ePO server with ePO updates but am not finding any specific documentation about the agent needing interactive logon. The documentation DOES mention "impersonal a client after logon" but I am not sure it's the same thing. I need to know if this is truly the issue before seeing the cached logon to 2 logons remembered... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
