Hi all, i've just deploy HIPS for a compagny. the firewall is off by demand of customer, but the IPS is detecting a lot of intrusion triggered by a bad parameter in svchost.exe.
the exact event is : Host intrusion (hip.Illegal_API_Use)
event id: 18000
threat name : 3961
action : blocked
api name: NetpwPathCanonicalize
Vulnerability in Server Service Could Allow Remote Code Execution
Now every where i look it seem to point out to confiker.
The VS is 8.7 up to date, Os is XP SP2.
If it is realy a worm, would confiker would be clearly identify instead of that generic API stuff. ? Just wondering if im chasing ghost or this is a real deal.
Sorry- don't use HIPS but,
Have a look at the info here:
and there's a detection tool too.
Also this site here:
We had a bunch of unpatched eval thin clients that got infected with conficker when it came out and we noticed that there was multiple account logons in the security event log (we audit logons). VirusScan blocked and detected the source of it to the thin clients.
Also, we ended up disabling autorun on the domain.
I'm amazed at how many peoples home machines must be infected - still with conficker as we are still detecting it at work.
JaneMessage was edited by: jmcleish on 24/09/10 14:57:17 CDT