Hello,
I am tuning a basic policy for DSS 6. I've noticed that the Windows User Experience dll is performing an OpenProcess operation on a bunch of things including the IPS engine. Below is an example. Is this normal for this dll or is it possible that it's been jacked? I've noticed that the module is unsigned...
SOURCE
Agent Name deleted
Host Name deleted
Host IP Address deleted
User Name NT AUTHORITY\SYSTEM
Agent Version 6.0.0.380
OS Type Windows
OS Version Server 2003 Service Pack 2
Agent Type CSP Native Agent
EVENT
Event Type Process Access
Event Category Real Time - Prevention
Operation OpenProcess
Event Severity Warning
Event Priority 45
Acknowledgement Status false
Event Date 31-Mar-2014 10:01:15 BST
Post Date 31-Mar-2014 10:01:18 BST
Post Delay 00:00:03
Event Count 1
Event ID 121133
DETAILS
Description Process Modification Allowed for (SVCHOST.EXE) on (C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE).
Policy Name Domain Controller Prevention Policy
Process C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Module Path \WINDOWS\SYSTEM32\AELUPSVC.DLL
Target Process - Sandox basic_ps
Target Process Name C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE
Agent State Prevention Globally Disabled
Disposition Allow
Sandbox netsvcs_ps
Operation OpenProcess
OS Result 00000000 (SUCCESS)
SDCSS Result 00000000 (SUCCESS)
Process ID 908
Target Process ID 5192
Actual Permissions 001f0fff (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, v
Caller Thread ID 1572
Permissions Requested 001F0FFF (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, vm_write, dup_handle, create_process, set_quota, set_information, query_information, suspend_resume)
Process Signature Microsoft OS Component (00039437)
Module Signature Unsigned (00000000)