Monitoring C:\Windows\system32\*.* Expand / Collapse
Author
Message
Posted 2/14/2011 8:56:51 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/14/2011 8:41:18 AM
Posts: 1, Visits: 0
Hey Randy,

This event ID will be pretty useful to me already with monitoring any rogue processes on my servers.

I have a question, is there any way to monitor C:\Windows\system32\*.* ?

 

In the startup of the server I will get alerts on various processes, e.g.

 

csrss.exe,"C:\Windows\system32\csrss.exe 

 

wininit.exe,"C:\Windows\system32\wininit.exe 

 

winlogon.exe,"C:\Windows\system32\winlogon.exe 

 

services.exe,"C:\Windows\system32\services.exe 

 

lsass.exe,"C:\Windows\system32\lsass.exe

 

The issue I find is that say for instance I add lsass.exe to my exclusion list, this could be fatal as many virusses are masked as that process.

 

Any thoughts around monitoring this in a better way?

 

I look forward to your response.

 

Regards

 

Sam

 

Post #594
Posted 2/15/2011 7:56:55 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I would suppress alerts based on the full path.  due to file permissions and exclusive access of the OS over files like lsass it is unlikely malware will replace or infect files like that except for rootkits
Post #596
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 4:47am