3 Replies Latest reply on Jun 29, 2012 1:09 PM by knoxeric

    WMI and TFTP Activity

      I am seeing a lot of entries in our AP logs on PCs for the following:

      Blocked by Access Protection rule NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\tftp.exe Anti-virus Standard Protection:Prevent use of tftp.exe Action blocked : Read

      I've seen a lot of reports of this via search engines but no information on root cause. PCs in question are running Windows XP SP3.

      Any ideas?
        • 1. Re: WMI and TFTP Activity

          I've been trying to figure this out also.  I'm still not sure what the root cause is, but I used Process Monitor to log activity and here is what I found:

           

          Svchost.exe starts a new threead and looks up some registry keys in HKLM\SOFTWARE\Microsoft\COM3, HKLM\SOFTWARE\Microsoft\Ole, and a bunch of Classes and AppIDs under HKCR and HKU\S-1-5-20 (the network service security ID).  It also looks at wmiprvse.exe a couple times and various other registry entries and files, including C:\Windows\AppPatch\sysmain.sdb.  Then it starts a new process using "C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding".  That wmiprvse.exe process then looks at a bunch of files (not sure if it is all of them) in the C:\Windows\system32 folder, some other folders and files, and some registry entries, including some that Svchost.exe was looking at.  When it tries to look at tftp.exe, VirusScan blocks it.  I'm not familiar enough with Process Monitor logs and the inner workings of Windows to determine exactly what it is really doing in plain English.  My guess is that VSS or COM+ or Windows Updates or WGA or something else is cataloging the system.

           

          I didn't get the warning using VSE 8.5.  It only started showing up when I installed VSE 8.7.  It shows up about once every 24 hours on each system.

           

          I don't get the VS warning on our Vista systems (tftp.exe isn't there), our Windows 2003 Server system, or a few of our XP systems.  It does occur on most of our XP systems.  I haven't been able to determine anything different about those few XP systems that don't generate the VS warning.

           

          Jay

          • 2. Re: WMI and TFTP Activity
            brentil

            I know this is an old topic but we're seeing this now too.  I've been running the TFTP setting in only "Report" mode and not "Block" mode on our user's desktops for a long time and we decided to enable blocking finally because we've never seen a report of it and users do not need to be using this.  However as soon as we enabled the actual blocking we started getting machines reporting in that TFTP was being actually blocked from being actively used.  Digging into the ePO report more shows that it is the WMI wmiprvse.exe process as stated before that is touching this file.  Continued investigation shows that this only happens on Windows XP SP3 systems, all Vista & W7 machines do not have this behaviour.

             

            So it just seems a baviour of how the WMI processes of Win XP worked that have changed since then in Vista/W7.  I plan to leave the block in place and have it ignore the reporting portion as we only have a handful of Win XP machines left.

             

             

            Server ID:das-ePO
            Event Received Time:6/25/12 2:50:01 PM
            Event Generated Time:6/25/12 2:49:08 PM
            Agent GUID:BCAF43F8-48B9-4C1F-A302-B37E8FE814F6
            Detecting Prod ID (deprecated):VIRUSCAN8800
            Detecting Product Name:VirusScan Enterprise
            Detecting Product Version:8.8
            Detecting Product Host Name:Workstation30
            Detecting Product IPv4 Address:192.168.7.30
            Detecting Product IP Address:192.168.7.30
            Detecting Product MAC Address:
            DAT Version:
            Engine Version:
            Threat Source Host Name:_
            Threat Source IPv4 Address:192.168.7.30
            Threat Source IP Address:192.168.7.30
            Threat Source MAC Address:
            Threat Source User Name:
            Threat Source Process Name:C:\WINDOWS\system32\wbem\wmiprvse.exe
            Threat Source URL:
            Threat Target Host Name:Workstation30
            Threat Target IPv4 Address:192.168.7.30
            Threat Target IP Address:192.168.7.30
            Threat Target MAC Address:
            Threat Target User Name:NT AUTHORITY\NETWORK SERVICE
            Threat Target Port Number:
            Threat Target Network Protocol:
            Threat Target Process Name:
            Threat Target File Path:C:\WINDOWS\system32\tftp.exe
            Event Category:'File' class or access
            Event ID:1092
            Threat Severity:Notice
            Threat Name:Anti-virus Standard Protection:Prevent use of tftp.exe
            Threat Type:access protection
            Action Taken:deny read
            Threat Handled:true
            Analyzer Detection Method:OAS
            • 3. Re: WMI and TFTP Activity

              I'm seeing this same behavior. Here are the dates that it has occured.  Any ideas what causes it? Whether it's usual behavior or something to raise an eyebrow about?

               

              2010:

              9/19

              9/20

              10/14

               

              2011:

              1/7

              1/8

              1/9

              1/22

              5/16

              7/1

              7/11

              7/14

              10/24

               

              2012:

              4/19

              4/20

              4/21

              4/22

              4/28

              6/2

              6/3

              6/15

              6/16

              6/17

              6/27

              6/29

               

               

               

               

              Blocked by Access Protection rule           NT AUTHORITY\NETWORK SERVICE          C:\WINDOWS\system32\wbem\wmiprvse.exe          C:\WINDOWS\system32\tftp.exe          Anti-virus Standard Protection:Prevent use of tftp.exe          Action blocked : Read