I have a signature that comes up hundreds of times a day in our event logs and made an exception for it 2 weeks ago, but it still keeps popping up daily in our event logs, and it the process still keeps getting blocked. The following is a summary of the exception.
Would it be safe to make C:\WINDOWS\system32\services.exe a trusted application instead?
Exception name: Network DoS Protection Settings Modified
Policy name: Policy - Servers (Template)
Created: Thu Jul 14 18:42:10 EDT 2011 by xxxx
Modified: Tue Jul 26 17:27:05 EDT 2011 by xxxx
Parameters: 1.new_data = 01000000
2.values = \REGISTRY\MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\PARAMETERS\SYNATTACKPROTECT
Users and groups: 1. NT Authority\Local System
Signatures: 1. 933
Hmm, what a dork. I might have answered my own question. The policy I made the exception on was not the policy applied to the OU the server was in.
Let me watch this a couple days and see if the event logs drop off.
Actually, the last part of my first post stills stands though.
Is it safe to make C:\WINDOWS\system32\services.exe a trusted application? Or is that executable easily exploited by the bad guys?
Is it safe to make C:\WINDOWS\system32\services.exe a trusted application?
No, I would not recommend this.