4 Replies Latest reply on Apr 3, 2012 5:32 PM by Kary Tankink

    Many threat source processes begin with **\

      I'm getting a large amount of HIPS event logs that begin with **\, for example,

       

      **\CMD.EXE

      **\CSCRIPT.EXE

      **\WMIC.EXE

      **\WMIPRVSE.EXE

      **\FSPROCSVC.EXE

      **\USERINIT.EXE

      **\FS_DEVICECONTRO*

      **\MCSCRIPT_INUSE.*

       

      And several others. This looks suspicious, like it would be a good way to put a trojaned file anywhere in the file system path, and with that double * in front of it, it would be able to run.

       

      Has anyone seen this before, is it normal, and is there any threat associated with it? Should exceptions to HIPS signatures use this kind of format or is it too risky?

       

      PG