cancel
Showing results for 
Search instead for 
Did you mean: 
rphillips
Level 7

Help with HIPS Event Please

Jump to solution

OVer the last couple weeks i have been monitoring a rapidly large amount of events starting to compile in one of my dashboards. We are seeing an increasingly large amount of the Following and i have been chasing my tail for a few days now trying to figure out a simialrity between machines and there isnt one that i can tell. both of the below are just 2 of the several thousand events that keep hitting up.

There is no similarities in the machines as some are Windows 7 and Some are XPsp3 some are running IE8 and some are running IE7 Some are Running Outlook 2003 and some are Running Outlook 2007

MACHINE A is one Event for Outlook

Threat Source Process Name:C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
Threat Source URL:file:///C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
Threat Target Host Name:2RFWY91-D620
Threat Target IPv4 Address:xxx.xxx.xxx.xxx
Threat Target IP Address:0:0:0:0:0:ffff:a0d:13b
Threat Target MAC Address:0015c545b5e6
Threat Target User Name:
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path:
Event Category:Host intrusion (hip.Illegal_API_Use)
Event ID:18000
Threat Severity:Critical
Threat Name:3776
Threat Type:bad_parameter
Action Taken:Permitted
Threat Handled:false
Analyzer Detection Method:

Threat Event Descriptions 

Event Description:Host intrusion detected and handled

Endpoint Encryption 

No addition information available.

Host IPS Event Information 


API Name CompatFlagsFromClsid
Detailed Event Info 10072CEC-8CC1-11D1-986E-00A0C955B42E
Vulnerability Name Vulnerable ActiveX Control Loading A
Workstation Name

2RFWY91-D620

Host IPS Event Information

View Host IPS Event Description

Event Description

Malicious use of the API CompatFlagsFromClsid by C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE running with the privileges of user MAIN\_MStefan was detected on the system with Agent 2RFWY91-D620. The parameter(s) passed to the API are 10072CEC-8CC1-11D1-986E-00A0C955B42E.

General Signature Description

(Refer to KB article 51504 for details about supported platforms.) This event indicates that Internet Explorer attempted to create an ActiveX control using a CLSID which is found in publicly known exploits. These exploits attack a vulnerability in Internet Explorer Vector Markup Language that could allow remote attackers to execute arbitrary commands on the local system.

References: CVE-2006-4868 CVE-2007-1749 

Possible Signature Triggers

If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base. https://kc.mcafee.com/corporate/index?page=content&id=KB67561

MACHINE B is stating IE

Threat Source Process Name:C:\Program Files\Internet Explorer\iexplore.exe
Threat Source URL:file:///C:\Program Files\Internet Explorer\iexplore.exe
Threat Target Host Name:
Threat Target IPv4 Address:xxx.xxx.xxx.xxx
Threat Target IP Address:0:0:0:0:0:ffff:c0a8:144
Threat Target MAC Address:00255651052f
Threat Target User Name:
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path:
Event Category:Host intrusion (hip.Illegal_API_Use)
Event ID:18000
Threat Severity:Critical
Threat Name:3776
Threat Type:bad_parameter
Action Taken:Permitted
Threat Handled:false
Analyzer Detection Method:

Threat Event Descriptions 

Event Description:Host intrusion detected and handled

Endpoint Encryption 

No addition information available.

Host IPS Event Information 

View Host IPS Event Description
API Name CompatFlagsFromClsid
Detailed Event Info 10072CEC-8CC1-11D1-986E-00A0C955B42E
Vulnerability Name Vulnerable ActiveX Control Loading A
Workstation Name 25JXBK1-E6400
0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Help with HIPS Event Please

Jump to solution

See this KB article about Signature 3776.

KB70810 - Host Intrusion Prevention Signature 3776 triggers after applying Microsoft security update MS10-090

Message was edited by: ktankink on 3/7/11 4:08:31 PM CST
0 Kudos
2 Replies
McAfee Employee

Re: Help with HIPS Event Please

Jump to solution

See this KB article about Signature 3776.

KB70810 - Host Intrusion Prevention Signature 3776 triggers after applying Microsoft security update MS10-090

Message was edited by: ktankink on 3/7/11 4:08:31 PM CST
0 Kudos
rphillips
Level 7

Re: Help with HIPS Event Please

Jump to solution

This is exactly what I needed thanks a ton

0 Kudos