6408 A registered product failed and Windows Firewall is now controlling filtering
Written when a product that registered firewall control fails and the Windows Firewall takes over control. It captures malfunction of a third-party product.
Overview
The subcategory is Audit Other System Events. It is generated when the product that was controlling filtering (registered via 6406) fails and the Windows Firewall takes over filtering.
How it is triggered
- When the product controlling the firewall malfunctions or stops, and control returns to the Windows Firewall.
Security review points
- Failure of the controlling product means that product’s filtering was temporarily not functioning. Even though the Windows Firewall takes over, product-specific defenses (advanced inspection, etc.) may be missing. Check the reason the product stopped.
- Also consider the slight possibility that it appears as a result of an attacker disabling the security product, and view it together with the product process’s state.
Notes for log review
- It can occur from product bugs or updates. Check the failed product and the defensive state during that time.
- If unexpected failures of the security product persist, investigate with the possibility of operations targeting the product’s shutdown in view.
Key fields
| Field | Meaning |
|---|---|
| Failed product | The product that was controlling |
| Control target | The taken-over filtering |