cancel
Showing results for 
Search instead for 
Did you mean: 
greatscott
Level 12

<SYSTEMREMOTECLIENT> as threat source process name?

Does anyone know what <SYSTEMREMOTECLIENT> means when it is in the threat source process name field in an IPS event? Is there any good way to create exceptions for these? I have tried with little success to create an exception for such an event. Here is the event in question (sensitive data X'ed out). The threat source process hostname and IP is the same as the threat source process hostname and IP.

Server ID:EPO123
Event Received Time:11/14/13 10:12:38 AM
Event Generated Time:11/14/13 8:49:45 AM
Agent GUID:XXXXXXXXX-7682-XXXX-XXXX-XXXX
Detecting Prod ID (deprecated):HOSTIPS_8000
Detecting Product Name:McAfee Host Intrusion Prevention
Detecting Product Version:8.0.0
Detecting Product Host Name:XXXXX
Detecting Product IPv4 Address:192.168.0.2
Detecting Product IP Address:192.168.0.2
Detecting Product MAC Address:XXXXX
DAT Version:
Engine Version:
Threat Source Host Name:
Threat Source IPv4 Address:192.168.0.2
Threat Source IP Address:192.168.0.2
Threat Source MAC Address:
Threat Source User Name:XXXXX
Threat Source Process Name:<SYSTEMREMOTECLIENT>
Threat Source URL:file:///<SYSTEMREMOTECLIENT>
Threat Target Host Name:XXXXX
Threat Target IPv4 Address:192.168.0.2
Threat Target IP Address:192.168.0.2
Threat Target MAC Address:XXXXX
Threat Target User Name:
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path:
Event Category:File system
Event ID:18000
Threat Severity:Information
Threat Name:1265
Threat Type:Create, Read, Write, Attribute
Action Taken:Permitted
Threat Handled:false
Analyzer Detection Method:

Threat events received from managed systems

Event Description:Host intrusion detected and handled

Host IPS 8.0 Event Information

Drive Type HardDrive
ePO Reachable False
Files D:\Ingestion\Q3\1052-1264\20131114\6f05ddcc-3ab2-4987-be3b-f77749d836f8.pdf
In Trusted Network Unknown
Workstation Name XXXXX
0 Kudos
2 Replies
McAfee Employee

Re: <SYSTEMREMOTECLIENT> as threat source process name?

<SYSTEMREMOTECLIENT> is the remote system's SYSTEM account process.  I tested a (custom) signature that uses this process name and wrote an IPS exception for it (created it straight from the ePO event), and it worked fine.

11-25 15:02:35 [05752] VIOLATION: [1] ------- Violation  Logged ---- Size 620 ----

<Event> <!-- Level=High, Reaction=Prevent -->

  <EventData

  SignatureID="4003"

  SignatureName="File creation"

  SeverityLevel="4"

  Reaction="3"

  ProcessUserName="NT AUTHORITY\SYSTEM"

  Process="&lt;SYSTEMREMOTECLIENT&gt;"

  IncidentTime="2013-11-25 15:02:32"

  AllowEx="False"

  SigRuleClass="Files"

  ProcessId="4"

  Session="0"

  SigRuleDirective="create,read,write"/>

  <Params>

    <Param name="Workstation Name" allowex="True">XXXXXXXXXX</Param>

    <Param name="files" allowex="True">C:\temp\putty2.exe</Param>

    <Param name="drive type" allowex="True">HardDrive</Param>

  </Params>

</Event>

------------------------------

Exception {

   Class Files

   Id 4003

   files { Include {C:\temp\putty2.exe} }

   drive_type { Include HardDrive }

   Executable { Include { -path <SYSTEMREMOTECLIENT>  @Id 730} }

   domain_user_name { Include {NT AUTHORITY\SYSTEM} }

   wrkstn_name { Include XXXXXXXXXX }

   directives files:create files:write files:execute files:delete files:rename files:attribute files:permissions

}

0 Kudos
greatscott
Level 12

Re: <SYSTEMREMOTECLIENT> as threat source process name?

kinda what I suspected. thank you.

0 Kudos