Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
897
Views
0
Helpful
2
Replies

Windows System32 Directory File Creation

sameer.devlekar
Level 1
Level 1

‎04-22-2010 10:25 PM

Hi Folks,

I get sevral alerts from my IDS system says, "Windows System32 Directory File Creation" as an event.

Could you please help me out understand the exact meaning for this alerts.

Thanks in advance,

Sameer

Labels:
0 Helpful
2 Replies 2

chalkspray
Level 1
Level 1

‎04-23-2010 12:33 PM

Well I think the purpose for it was to detect one of the things that some worms do; write to the system32 directory. However, I found that MARS will also log this when certain services are enabled on the Windows Server you're logging due to other frequent changes in the system32 directory. I don't remember what services were causing it, but I remember creating a drop rule for the events on those specific servers because the event occurred often and was indeed a false positive. If you could post the exact content of the windows event it might help refresh my memory.

0 Helpful

sameer.devlekar
Level 1
Level 1
In response to chalkspray

‎04-24-2010 08:23 AM

Thanks chalkspray, appritated your reply. Just to your considration, i found WSUS/SCCM servers are the major servers for this alerts. Also could you please tell me which windows logs (System/Application) u need??

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents