1 Reply Latest reply on Sep 24, 2010 2:57 PM by jmcleish

    What a confliker infection would look like


      Hi all, i've just deploy HIPS for a compagny. the firewall is off by demand of customer, but the IPS is detecting a lot of intrusion triggered by a bad parameter in svchost.exe.


      the exact event is : Host intrusion (hip.Illegal_API_Use)


      event id: 18000

      threat name : 3961

      action : blocked


      api name: NetpwPathCanonicalize

      Vulnerability in Server Service Could Allow Remote Code Execution


      Now every where i look it seem to point out to confiker.


      The VS is 8.7 up to date,  Os is XP SP2.


      If it is realy a worm, would confiker would be clearly identify instead of that generic API stuff. ? Just wondering if im chasing ghost or this is a real deal.