Windows System32 Directory File Creation

Unanswered Question
Apr 22nd, 2010

Hi Folks,

I get sevral alerts from my IDS system says, "Windows System32 Directory File Creation" as an event.

Could you please help me out understand the exact meaning for this alerts.

Thanks in advance,

Sameer

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chalkspray Fri, 04/23/2010 - 12:33

Well I think the purpose for it was to detect one of the things that some worms do; write to the system32 directory. However, I found that MARS will also log this when certain services are enabled on the Windows Server you're logging due to other frequent changes in the system32 directory. I don't remember what services were causing it, but I remember creating a drop rule for the events on those specific servers because the event occurred often and was indeed a false positive. If you could post the exact content of the windows event it might help refresh my memory.

sameer.devlekar Sat, 04/24/2010 - 08:23

Thanks chalkspray, appritated your reply. Just to your considration, i found WSUS/SCCM servers are the major servers for this alerts. Also could you please tell me which windows logs (System/Application) u need??

Actions

This Discussion