2 Replies Latest reply: Nov 26, 2013 8:28 AM by greatscott RSS

    <SYSTEMREMOTECLIENT> as threat source process name?

    greatscott

      Does anyone know what <SYSTEMREMOTECLIENT> means when it is in the threat source process name field in an IPS event? Is there any good way to create exceptions for these? I have tried with little success to create an exception for such an event. Here is the event in question (sensitive data X'ed out). The threat source process hostname and IP is the same as the threat source process hostname and IP.

       

       

      Server ID:EPO123
      Event Received Time:11/14/13 10:12:38 AM
      Event Generated Time:11/14/13 8:49:45 AM
      Agent GUID:XXXXXXXXX-7682-XXXX-XXXX-XXXX
      Detecting Prod ID (deprecated):HOSTIPS_8000
      Detecting Product Name:McAfee Host Intrusion Prevention
      Detecting Product Version:8.0.0
      Detecting Product Host Name:XXXXX
      Detecting Product IPv4 Address:192.168.0.2
      Detecting Product IP Address:192.168.0.2
      Detecting Product MAC Address:XXXXX
      DAT Version:
      Engine Version:
      Threat Source Host Name:
      Threat Source IPv4 Address:192.168.0.2
      Threat Source IP Address:192.168.0.2
      Threat Source MAC Address:
      Threat Source User Name:XXXXX
      Threat Source Process Name:<SYSTEMREMOTECLIENT>
      Threat Source URL:file:///<SYSTEMREMOTECLIENT>
      Threat Target Host Name:XXXXX
      Threat Target IPv4 Address:192.168.0.2
      Threat Target IP Address:192.168.0.2
      Threat Target MAC Address:XXXXX
      Threat Target User Name:
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:
      Event Category:File system
      Event ID:18000
      Threat Severity:Information
      Threat Name:1265
      Threat Type:Create, Read, Write, Attribute
      Action Taken:Permitted
      Threat Handled:false
      Analyzer Detection Method:

       

       

      Threat events received from managed systems

       

       

      Event Description:Host intrusion detected and handled

       

       

      Host IPS 8.0 Event Information

       

       

      Drive Type HardDrive
      ePO Reachable False
      Files D:\Ingestion\Q3\1052-1264\20131114\6f05ddcc-3ab2-4987-be3b-f77749d836f8.pdf
      In Trusted Network Unknown
      Workstation Name XXXXX
        • 1. Re: <SYSTEMREMOTECLIENT> as threat source process name?
          Kary Tankink

          <SYSTEMREMOTECLIENT> is the remote system's SYSTEM account process.  I tested a (custom) signature that uses this process name and wrote an IPS exception for it (created it straight from the ePO event), and it worked fine.

           

           

           

           

          11-25 15:02:35 [05752] VIOLATION: [1] ------- Violation  Logged ---- Size 620 ----

          <Event> <!-- Level=High, Reaction=Prevent -->

            <EventData

            SignatureID="4003"

            SignatureName="File creation"

            SeverityLevel="4"

            Reaction="3"

            ProcessUserName="NT AUTHORITY\SYSTEM"

            Process="&lt;SYSTEMREMOTECLIENT&gt;"

            IncidentTime="2013-11-25 15:02:32"

            AllowEx="False"

            SigRuleClass="Files"

            ProcessId="4"

            Session="0"

            SigRuleDirective="create,read,write"/>

            <Params>

              <Param name="Workstation Name" allowex="True">XXXXXXXXXX</Param>

              <Param name="files" allowex="True">C:\temp\putty2.exe</Param>

              <Param name="drive type" allowex="True">HardDrive</Param>

            </Params>

          </Event>

          ------------------------------

           

           

           

           

          Exception {

             Class Files

             Id 4003

             files { Include {C:\temp\putty2.exe} }

             drive_type { Include HardDrive }

             Executable { Include { -path <SYSTEMREMOTECLIENT>  @Id 730} }

             domain_user_name { Include {NT AUTHORITY\SYSTEM} }

             wrkstn_name { Include XXXXXXXXXX }

             directives files:create files:write files:execute files:delete files:rename files:attribute files:permissions

          }

          • 2. Re: <SYSTEMREMOTECLIENT> as threat source process name?
            greatscott

            kinda what I suspected. thank you.