1 Reply Latest reply on Sep 24, 2010 2:57 PM by jmcleish

    What a confliker infection would look like

    msimard

      Hi all, i've just deploy HIPS for a compagny. the firewall is off by demand of customer, but the IPS is detecting a lot of intrusion triggered by a bad parameter in svchost.exe.

       

      the exact event is : Host intrusion (hip.Illegal_API_Use)

       

      event id: 18000

      threat name : 3961

      action : blocked

       

      api name: NetpwPathCanonicalize

      Vulnerability in Server Service Could Allow Remote Code Execution

       

      Now every where i look it seem to point out to confiker.

       

      The VS is 8.7 up to date,  Os is XP SP2.

       

      If it is realy a worm, would confiker would be clearly identify instead of that generic API stuff. ? Just wondering if im chasing ghost or this is a real deal.

       

      thanks.