How can you distinguish a 'false positive'?

Unanswered Question
Sep 17th, 2008

The IPS generated an alert, SMB Remote Registry Access Attempt. How to investigate the alert? I ran a couple of spyware programs on the host and found some cookies-generaly clean. At what point is the alert resigned as a false positive?

“Triggers when a client attempts to access the registry on the Windows server. Microsoft tools like REGEDIT provide the ability to access a servers registry over the network. There are several hacking tools that also provide similar capabilities. Every attempted access will cause an alarm to be sent. An attacker can cause serious damage to a computer system by changing the registry.”

appInstanceId: 403

signature: description=SMB Remote Registry Access Attempt id=5579 version=S264

subsigId: 1

marsCategory: Probe/Host/WinRegistry

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion