6406 A product registered to Windows Firewall to control filtering
Written when a third-party product registers to control filtering with the Windows Firewall. It captures an external security product taking over firewall functionality.
Overview
The subcategory is Audit Other System Events. It is generated when an antivirus/firewall product registers specific filtering control with the Windows Firewall. It indicates a third-party product taking over part of the traffic filtering.
How it is triggered
- When a third-party security product registers with the Windows Firewall to control filtering itself.
Security review points
- It is normally legitimate behavior by an installed security product. Confirm the registering product is as expected (a legitimate security product).
- If an unexpected product registers firewall control, consider the possibility of a move to hijack defensive behavior. View it together with product registration failure 6408.
Notes for log review
- It occurs legitimately when a security product is installed. It is often enough to confirm the registering product is a known legitimate one.
Key fields
| Field | Meaning |
|---|---|
| Product name | The registering product |
| Control target | The filtering target |