Good morning all,
Please forgive me, I am fairly new to the industry.
For the past few days, I am noticing an increase with HIPS signature triggered for these 2 subject processes. Triggered Sig ID 6091 and 3829.
Based on my research, these 2 processes are tied to Windows update and part of Windows OS. I was able to verify their legitimacy based on research as far as their supposedly location/size and hash value.
At the same time, I also saw not so good information as they could be used maliciously.
Talking to our systems guys, they are not seeing anything out of the ordinary update failures in the environment. So I just do not know what kind of negative impact happens when they get blocked by HIPS.
I guess I have 2 questions:
1. Does anyone have any more information/experience about these 2 processes as to what they do?
2. How can I safely trust these processes without opening a door for potential breach in the future?
I appreciate all the input,
Paolo D.
Hi @PJRD ,
The role of the signatures are as follows.
6091
This event indicates that an attempt was made to modify Image File Execution Options registry key by a non-trusted process.
3829
This event could indicate an attempt to exploit a vulnerability in the Microsoft Windows that could allow successful attackers to maintain access to confidential information. A successful exploit would allow a user with administrative permissions to no longer need a username or password to access the computer in the future.
If the events are triggered only during windows updates then it could be potentially false positive.
You may have to look into the logs for the process in question and check if these can be excluded.
Thanks
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
I appreciate the response,
If this turns out to be false positive and want to make an exclusion, I can do that by simply make a new HIPS exclusion?
Are there additional ways to make sure we are excluding the process from Microsoft?
Thanks
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA