1 2 Previous Next 11 Replies Latest reply on Nov 9, 2011 3:48 PM by Kary Tankink

    HIPS 7.0.0.1159 and spoolsv.exe

    kink80

      I am seeing multiple entries on one machine that reference spoolsv.exe. Has anyone seen this is this malware related? I have included an example below. Thanks.

       

       

      Event Type:   McAfee Host Intrusion Prevention

      IP Address:   0.0.0.0

      Sniffer CAP:  

      Class:    0

      Directives:   0

      Severity:   4

      Signature ID:   2779

      Reaction:   Deny

      Warning:   (null)

      Exceptions Allowed:  False

      Event Time:   2011-10-18 02:56:58

      Event Class:   Files

      User Name:   NT Authority\Local System

      User Groups:  

      Path:    C:\WINDOWS\system32\spoolsv.exe

        • 1. Re: HIPS 7.0.0.1159 and spoolsv.exe
          Kary Tankink

          This is related to a new HIGH severity siganture from Oct 2011 content.  This signature prevents the SPOOLSV.EXE process from executing a .TMP file, which is how the TDSS Rootkit is installed.  Submit samples of .TMP files to McAfee Labs for analysis, and find out what's writing these temp files (and resolve this).  Spoolsv.exe executing a .TMP file is highly suspicious.

           

          http://www.mcafee.com/us/content-release-notes/host-intrusion-prevention/index.a spx

           

          [New] Sig 2779: TDSS Rootkit Infection

          Description:

          This event indicates an attempt to infect the system by TDSS rootkit

          - This signature is set to HIGH by default.

          1 of 1 people found this helpful
          • 2. Re: HIPS 7.0.0.1159 and spoolsv.exe

            We have recently gotten several calls from users who got this HIPS intrusion detection sig 2779, and in all cases the users were printing a pdf file from an outlook email or from IE.  Looking at the logs, it is the spoolsv.exe executing a z@xxxx.tmp file that is the culprit.  These z@xxx.tmp files are synonmous with printing pdf files.  In our cases the users are on Windows XP with various versions of Adobe acrobat, and its not the same file but not all files that are causing this when printed so its very odd.  After thorough investigation, these machines all seem clean of TDSS.  Not sure where this threat is coming from or if some pdf files have something particular about them that are causing this...any more insight would be appreciated!

            • 3. Re: HIPS 7.0.0.1159 and spoolsv.exe
              Kary Tankink

              I would suggest contacting the application vendor (Adobe) that is performing this action.  Execution of .tmp files by spoolsv.exe is how the TDSS rootkit is being installed, and while your specific situation may not be a rootkit install attempt, this application behavior should be reviewed.

              • 4. Re: HIPS 7.0.0.1159 and spoolsv.exe
                kink80

                Thanks for the advice Kary. We are now checking the machine for any malware that may be present. In our case the files were C:\WINDOWS\TEMP\psfxxxx.tmp files being blocked not z@xxx.tmp files.

                • 5. Re: HIPS 7.0.0.1159 and spoolsv.exe
                  kink80

                  We disabled system restore and ran a full scan of the machine and only found a Generic PWS.ch (Trojan). The machine continues to get the 2779 events. Would this be a false positive?

                  • 6. Re: HIPS 7.0.0.1159 and spoolsv.exe

                    It is my opinion that HIPS signature 2779 is flawed and triggering false positives.  I believe the spoolsv.exe process is reading .tmp files from the temp directory in processing a print job, which is normal.  However, for whatever reason, and not on every pdf file or other file types that first create .tmp files before printing, HIPS seems to see the the spoolsv.exe process as executing on some of these .tmp files which is the signature and triggers the TDSS rootkit infection attempt alert.  After extensive investigation, there is no evidence of the TDSS rootkit so far, which is not to say that with a very small chance that its a very new and extremely well hidden rootkit.  But with all due respect, I think this signature is triggering false positive intrusion detections for the TDSS rootkit.

                    • 7. Re: HIPS 7.0.0.1159 and spoolsv.exe
                      kink80

                      I would tend to believe that my detection is a false positive as well. We followed the instructions on McAfee Labs to detect and remove the TDSS Rootkit but no rootkit was found. All Engines and DATs are up to date. I still get ~ 2500 hits on the 2779 everyday from the same machine.

                      • 8. Re: HIPS 7.0.0.1159 and spoolsv.exe

                        By any chance on that machine you are getting ~2500 hits per day - is there a local printer installed, specifically an HP?  Another commonality I have discovered with our detection intrusions is that these particular users have a local HP printer installed that are getting this.

                        • 9. Re: HIPS 7.0.0.1159 and spoolsv.exe
                          kink80

                          Yes there is a local HP printer installed on this machine. An HP LaserJet P1505.

                          1 2 Previous Next