The IPS generated an alert, SMB Remote Registry Access Attempt. How to investigate the alert? I ran a couple of spyware programs on the host and found some cookies-generaly clean. At what point is the alert resigned as a false positive?
âTriggers when a client attempts to access the registry on the Windows server. Microsoft tools like REGEDIT provide the ability to access a servers registry over the network. There are several hacking tools that also provide similar capabilities. Every attempted access will cause an alarm to be sent. An attacker can cause serious damage to a computer system by changing the registry.â
appInstanceId: 403
signature: description=SMB Remote Registry Access Attempt id=5579 version=S264
subsigId: 1
marsCategory: Probe/Host/WinRegistry