How to fix WinEvtLog: Security: AUDIT_FAILURE(4625) caused by Windows Defender ~ Bauer-Power Media

Mar 30, 2017

How to fix WinEvtLog: Security: AUDIT_FAILURE(4625) caused by Windows Defender

7:00 AM

El DiPablo

I've written in the past about how I really like the built in Windows Defender as my antivirus of choice in Windows 10 and above. More specifically, I wrote about how to configure it for regular updates and scheduled scans. Well, I recently went back to it on my main laptop and when it kicked off it's first quick scan all of a sudden I noticed a lot of alerts coming from one of my work servers!

The alerts I was seeing were WinEvtLog: Security: AUDIT_FAILURE(4625) coming from our host based intrusion detection monitor. Our log monitor was also sending alerts saying Microsoft-Windows-Security-Auditing: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0. All of the alerts listed my computer's host name as the account that was failing the audit!

Well, it turns out that by default Windows Defender wants to scan network files and network file shares. That's honestly pretty annoying since we have antivirus on those servers already, and I don't need Windows Defender to scan anything except what's on my local machine. It's also annoying because it kicked off all of the alerts!

Well, to disable network scanning is fairly simple. You just need to open powershell as an administrator and run the following:

set-mppreference -DisableScanningNetworkFiles 1
set-mppreference -DisableScanningMappedNetworkDrivesForFullScan 1

To see what settings you have enabled or disabled you can run the following from powershell to get a list:

get-mppreference

As you can see above, network scanning has been disabled. Now when I run a scan, it stays local to my computer only and doesn't kick off anymore alerts!

Did you find this helpful? Let us know in the comments!