Windows malware detected
Ozgur Ozdemircili
Today I got this from one of our servers.
Received From: (E-Business) 10.xx.xx.xx->rootcheck
Rule: 513 fired (level 9) -> "Windows malware detected."
Portion of the log(s):
Windows Malware: Possible Malware - Svchost running outside system32.
Process: svchost.exe.
Searching the lists there seems to be a bug on 64 bit OS`s.
http://www.mail-archive.com/ossec...@googlegroups.com/msg02182.html
Yet the interesting thing is the server is clean and it is NOT a 64 bit.
Any ideas?
Özgür Özdemircili
Daniel Cid
This is strange.. svchost.exe should not be running outside of the system32 dir
on a 32 bits system. Did you run an anti-virus in this box to see what
it finds? This
is the first time I see a false positive in this check. (in fact, all
the times I saw it alerting
was on real malware)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Derp MhicHurp
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356
So something caused windows to install a side-by-side copy. The actual exe is the same version, binary compare turns up no differences and that is the only file present in the above directory.
I searched the registry for any references to that path, and found the following:
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356
I believe that is a legit winsxs registry value.
It would be nice if this alert included the PID of the process, that might help narrow down the cause. When I got into the server and started looking I found 12 svchost.exe processes running, several dropped off while I was looking so I couldn't get any more details at that time.