The Symantec Endpoint Encryption Domain Client account (SEE Framework client account) used for IIS communication is being shown as the active user account for web requests to sites other then the SEE Server. This account is showing in PaloAlto reports instead of the logged in user account.
Report run by a third party Tool (in this Case Palo Alto) shows the Account being overridden. No error Message . Symantec Endpoint Encryption Continues to work successfully. It's just the report that indicates a security breach. Below is an example report.
Receive Time | Source address | Destination address | Source User | Destination Port | Category |
7/17/2012 9:09 | 192.168.18.66 | 209.84.13.118 | healthone\seersmcli | 80 | unknown |
7/17/2012 8:57 | 192.168.61.117 | 64.4.18.90 | healthone\seersmcli | 80 | computer-and-internet-info |
7/17/2012 8:52 | 192.168.19.149 | 64.4.18.90 | healthone\seersmcli | 80 | computer-and-internet-info |
7/17/2012 8:46 | 192.168.15.164 | 199.7.52.190 | healthone\seersmcli | 80 | computer-and-internet-info |
7/17/2012 8:35 | 192.168.18.159 | 204.245.63.24 | healthone\seersmcli | 80 | unknown |
The issue isn't related to Symantec Endpoint Encryption. The PaloAlto reporting software collects user information from the client endpoints and not from the HTTP(S) requests. The PaloAlto client is not collecting the correct user info all the times. This is being looked at by PaloAlto software vender.
Symantec Endpoint Encryption is functioning as designed.