cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PJRD
Level 7
Report Inappropriate Content
Message 1 of 3

Host IPS blocking taskhostw.exe and poqexec.exe

Good morning  all,

Please forgive me, I am fairly new to the industry.

For the past few days, I am noticing an increase with HIPS signature triggered for these 2 subject processes. Triggered Sig ID 6091 and 3829.

Based on my research, these 2 processes are tied to Windows update and part of Windows OS. I was able to verify their legitimacy based on research as far as their supposedly location/size and hash value.

At the same time, I also saw not so good information as they could be used maliciously.

Talking to our systems guys, they are not seeing anything out of the ordinary update failures in the environment. So I just do not know what kind of negative impact happens when they get blocked by HIPS.

I guess I have 2 questions:

1. Does anyone have any more information/experience about these 2 processes as to what they do?

2. How can I safely trust these processes without opening a door for potential breach in the future? 

I appreciate all the input,

Paolo D. 

2 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Host IPS blocking taskhostw.exe and poqexec.exe

Hi @PJRD ,

The role of the signatures are as follows.

6091

This event indicates that an attempt was made to modify Image File Execution Options registry key by a non-trusted process.

3829

This event could indicate an attempt to exploit a vulnerability in the Microsoft Windows that could allow successful attackers to maintain access to confidential information. A successful exploit would allow a user with administrative permissions to no longer need a username or password to access the computer in the future.

If the events are triggered only during windows updates then it could be potentially false positive.

You may have to look into the logs for the process in question and check if these can be excluded.

Thanks

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

PJRD
Level 7
Report Inappropriate Content
Message 3 of 3

Re: Host IPS blocking taskhostw.exe and poqexec.exe

I appreciate the response,

If this turns out to be false positive and want to make an exclusion, I can do that by simply make a new HIPS exclusion?

Are there additional ways to make sure we are excluding the process from Microsoft?

Thanks

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community