cancel
Showing results for 
Search instead for 
Did you mean: 
tmihalen
Level 7

HIPS False Positive 3961 Events? I'm not sure.

Hello everyone,

I've been investigating some alerts the last few days without coming up with a successful conclusion so I've decided to bring my question to the pros. I run a daily HIPS report showing the top blocked signatures, and quite often I see the 'Vulnerability in  Server Service Could Allow Remote Code Execution' signature at the top of the list. The few articles that I've found on this event shows that it is related to the Conficker worm.

I have run Conficker detection scans on the target system and they have come up clean. I don't believe that Conficker is the source of the alert. Can someone shed some insight as to what I might be dealing with here? I know that HIPS is actively blocking the requests, but I would like to find the root cause of the issue.

Here is the event information for your reference:

-------------------------------------------------------------------

Server ID:          (epo server)

Event Received Time (UTC):          6/29/2011 16:11

Event Generated Time (UTC):          6/29/2011 11:55

Agent GUID:          GUID

Detecting Prod ID (deprecated):          HOSTIPS_META

Detecting Product Name:          McAfee Host Intrusion Prevention

Detecting Product Version:          7.0.0

Detecting Product Host Name:          hostname

Detecting Product IPv4 Address:          ip4address

Detecting Product IP Address:

Detecting Product MAC Address:

DAT Version:

Engine Version:

Threat Source Host Name:

Threat Source IPv4 Address:          same as detecting host

Threat Source IP Address:

Threat Source MAC Address:

Threat Source User Name:          NT Authority\Local System

Threat Source Process Name:          C:\WINDOWS\System32\svchost.exe

Threat Source URL:          file:///C:\WINDOWS\System32\svchost.exe

Threat Target Host Name:          hostname

Threat Target IPv4 Address:          same as source host

Threat Target IP Address:

Threat Target MAC Address:

Threat Target User Name:

Threat Target Port Number:

Threat Target Network Protocol:

Threat Target Process Name:

Threat Target File Path:

Event Category:          Host intrusion (hip.Illegal_API_Use)

Event ID:          18000

Threat Severity:          Critical

Threat Name:          3961

Threat Type:          bad_parameter

Action Taken:          Blocked

Threat Handled:          TRUE

Analyzer Detection Method:

-----------------------------------------------------------------

Please let me know if there is any additional information I can give you to help you help me.

Thanks everyone!

0 Kudos
3 Replies
tmihalen
Level 7

Re: HIPS False Positive 3961 Events? I'm not sure.

I also forgot to mention, so far, the detecting systems have the MS08-067 patch installed as well.

0 Kudos
tmihalen
Level 7

Re: HIPS False Positive 3961 Events? I'm not sure.

Just following up. We are still getting these events daily and I need to determine if this is a false positive or not.

0 Kudos
McAfee Employee

Re: HIPS False Positive 3961 Events? I'm not sure.

This looks like a false positive. You should be fine creating an exception if you've MS08-067 already applied on the system.

If you want to probe it further, identify the applications running in context of svchost.exe on systems most readily triggering the sigs. Disable the applications one at a time to potentially isolate the application triggering the sig.

0 Kudos