3 Replies Latest reply on Jul 22, 2011 11:27 AM by mtareiq

    HIPS False Positive 3961 Events? I'm not sure.

      Hello everyone,

       

      I've been investigating some alerts the last few days without coming up with a successful conclusion so I've decided to bring my question to the pros. I run a daily HIPS report showing the top blocked signatures, and quite often I see the 'Vulnerability in  Server Service Could Allow Remote Code Execution' signature at the top of the list. The few articles that I've found on this event shows that it is related to the Conficker worm.

       

      I have run Conficker detection scans on the target system and they have come up clean. I don't believe that Conficker is the source of the alert. Can someone shed some insight as to what I might be dealing with here? I know that HIPS is actively blocking the requests, but I would like to find the root cause of the issue.

       

      Here is the event information for your reference:

      -------------------------------------------------------------------

       

      Server ID:          (epo server)

      Event Received Time (UTC):          6/29/2011 16:11

      Event Generated Time (UTC):          6/29/2011 11:55

      Agent GUID:          GUID

      Detecting Prod ID (deprecated):          HOSTIPS_META

      Detecting Product Name:          McAfee Host Intrusion Prevention

      Detecting Product Version:          7.0.0

      Detecting Product Host Name:          hostname

      Detecting Product IPv4 Address:          ip4address

      Detecting Product IP Address:

      Detecting Product MAC Address:

      DAT Version:

      Engine Version:

      Threat Source Host Name:

      Threat Source IPv4 Address:          same as detecting host

      Threat Source IP Address:

      Threat Source MAC Address:

      Threat Source User Name:          NT Authority\Local System

      Threat Source Process Name:          C:\WINDOWS\System32\svchost.exe

      Threat Source URL:          file:///C:\WINDOWS\System32\svchost.exe

      Threat Target Host Name:          hostname

      Threat Target IPv4 Address:          same as source host

      Threat Target IP Address:

      Threat Target MAC Address:

      Threat Target User Name:

      Threat Target Port Number:

      Threat Target Network Protocol:

      Threat Target Process Name:

      Threat Target File Path:

      Event Category:          Host intrusion (hip.Illegal_API_Use)

      Event ID:          18000

      Threat Severity:          Critical

      Threat Name:          3961

      Threat Type:          bad_parameter

      Action Taken:          Blocked

      Threat Handled:          TRUE

      Analyzer Detection Method:

       

      -----------------------------------------------------------------

       

      Please let me know if there is any additional information I can give you to help you help me.

       

      Thanks everyone!