Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
417 Views 2 Replies Latest reply: Nov 26, 2013 8:28 AM by greatscott RSS
greatscott Champion 287 posts since
Jul 18, 2011
Currently Being Moderated

Nov 21, 2013 7:36 AM

<SYSTEMREMOTECLIENT> as threat source process name?

Does anyone know what <SYSTEMREMOTECLIENT> means when it is in the threat source process name field in an IPS event? Is there any good way to create exceptions for these? I have tried with little success to create an exception for such an event. Here is the event in question (sensitive data X'ed out). The threat source process hostname and IP is the same as the threat source process hostname and IP.

 

 

Server ID:EPO123
Event Received Time:11/14/13 10:12:38 AM
Event Generated Time:11/14/13 8:49:45 AM
Agent GUID:XXXXXXXXX-7682-XXXX-XXXX-XXXX
Detecting Prod ID (deprecated):HOSTIPS_8000
Detecting Product Name:McAfee Host Intrusion Prevention
Detecting Product Version:8.0.0
Detecting Product Host Name:XXXXX
Detecting Product IPv4 Address:192.168.0.2
Detecting Product IP Address:192.168.0.2
Detecting Product MAC Address:XXXXX
DAT Version:
Engine Version:
Threat Source Host Name:
Threat Source IPv4 Address:192.168.0.2
Threat Source IP Address:192.168.0.2
Threat Source MAC Address:
Threat Source User Name:XXXXX
Threat Source Process Name:<SYSTEMREMOTECLIENT>
Threat Source URL:file:///<SYSTEMREMOTECLIENT>
Threat Target Host Name:XXXXX
Threat Target IPv4 Address:192.168.0.2
Threat Target IP Address:192.168.0.2
Threat Target MAC Address:XXXXX
Threat Target User Name:
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path:
Event Category:File system
Event ID:18000
Threat Severity:Information
Threat Name:1265
Threat Type:Create, Read, Write, Attribute
Action Taken:Permitted
Threat Handled:false
Analyzer Detection Method:

 

 

Threat events received from managed systems

 

 

Event Description:Host intrusion detected and handled

 

 

Host IPS 8.0 Event Information

 

 

Drive Type HardDrive
ePO Reachable False
Files D:\Ingestion\Q3\1052-1264\20131114\6f05ddcc-3ab2-4987-be3b-f77749d836f8.pdf
In Trusted Network Unknown
Workstation Name XXXXX
  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010

    <SYSTEMREMOTECLIENT> is the remote system's SYSTEM account process.  I tested a (custom) signature that uses this process name and wrote an IPS exception for it (created it straight from the ePO event), and it worked fine.

     

     

     

     

    11-25 15:02:35 [05752] VIOLATION: [1] ------- Violation  Logged ---- Size 620 ----

    <Event> <!-- Level=High, Reaction=Prevent -->

      <EventData

      SignatureID="4003"

      SignatureName="File creation"

      SeverityLevel="4"

      Reaction="3"

      ProcessUserName="NT AUTHORITY\SYSTEM"

      Process="&lt;SYSTEMREMOTECLIENT&gt;"

      IncidentTime="2013-11-25 15:02:32"

      AllowEx="False"

      SigRuleClass="Files"

      ProcessId="4"

      Session="0"

      SigRuleDirective="create,read,write"/>

      <Params>

        <Param name="Workstation Name" allowex="True">XXXXXXXXXX</Param>

        <Param name="files" allowex="True">C:\temp\putty2.exe</Param>

        <Param name="drive type" allowex="True">HardDrive</Param>

      </Params>

    </Event>

    ------------------------------

     

     

     

     

    Exception {

       Class Files

       Id 4003

       files { Include {C:\temp\putty2.exe} }

       drive_type { Include HardDrive }

       Executable { Include { -path <SYSTEMREMOTECLIENT>  @Id 730} }

       domain_user_name { Include {NT AUTHORITY\SYSTEM} }

       wrkstn_name { Include XXXXXXXXXX }

       directives files:create files:write files:execute files:delete files:rename files:attribute files:permissions

    }

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points