Please forgive me, I am fairly new to the industry.
For the past few days, I am noticing an increase with HIPS signature triggered for these 2 subject processes. Triggered Sig ID 6091 and 3829.
Based on my research, these 2 processes are tied to Windows update and part of Windows OS. I was able to verify their legitimacy based on research as far as their supposedly location/size and hash value.
At the same time, I also saw not so good information as they could be used maliciously.
Talking to our systems guys, they are not seeing anything out of the ordinary update failures in the environment. So I just do not know what kind of negative impact happens when they get blocked by HIPS.
I guess I have 2 questions:
1. Does anyone have any more information/experience about these 2 processes as to what they do?
2. How can I safely trust these processes without opening a door for potential breach in the future?
This event indicates that an attempt was made to modify Image File Execution Options registry key by a non-trusted process.
This event could indicate an attempt to exploit a vulnerability in the Microsoft Windows that could allow successful attackers to maintain access to confidential information. A successful exploit would allow a user with administrative permissions to no longer need a username or password to access the computer in the future.
If the events are triggered only during windows updates then it could be potentially false positive.
You may have to look into the logs for the process in question and check if these can be excluded.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.