Video Screencast Help

Registry Leaks

Created: 13 Jan 2013 | 9 comments

Currently we have windows Servers with Only AV/Malware protection. We use a application called ImageRight, it's used for printing.

Also Servers are at SEP 11. RU 1. In process of upgrading to SEP 11 RU 3 then to 12.1.2 in near future.

Now with my question?

Has anyone seen this type of error before? It's in the Event Logs as a Warning.

There is a Windows KB Article ID: 947238 which kinda relates.

 

DETAIL -

 2 user registry handles leaked from \Registry\User\S-1-5-21-1390108520-675970526-1691616715-84626:

Process 376 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1390108520-675970526-1691616715-84626\Printers\DevModePerUser

Process 2068 (\Device\HarddiskVolume1\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1390108520-675970526-1691616715-84626\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

 

It is currently believed that SEP is causing this issue, but from my point of view I think this is a false positive. Almost makes me wonder if this is a Rootkit. I have never seen this error before and and we currently have intermitent error occuring.

Any suggestions, would be helpful.

 

 

Comments 9 CommentsJump to latest comment

.Brian's picture

What happens if you disable SEP? Or even uninstall?

When did it start? When SEP was installed?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

usacc23's picture

Have Not tried this as I just found out about this late Friday. There is some type of conflict even when we Exclude the folders and Extentions. SEP was installed well over 2 years ago. We have had multiple issues and cannot narrow them down. This error is the 1st time I have seen this in the Event Logs. These are productions system and we don't want to remove Security from them. I have even thought of upgrading this to SEP 12 as this even took 2 servers down for well over 2 hours. This has never  happened before.

 

 

usacc23's picture

I am now wondering if this a JAVA issue.

.Brian's picture

Can you try turning off auto-protect for a short period of time to see what the result it?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

usacc23's picture

That would be good except, the errors only occur maybe once or twice a month. I don't feel comfortable turning off autoprotect. If there is a Rootkit or even a Java issue, I don't think that will help much.

If you have any other suggestions, that would be great. You have helped me before, and I appreciate your assistance.

.Brian's picture

If SEP were the problem, I would think you would see the issue come up more often.

Have you tried running a rootkit checker suck as GMER or TDSS Killer?

Can you upgrade or just remove JAVA?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

usacc23's picture

No, I am going to do that tommorrow, I hope.

We have a Root Cause Analysis meeting in the AM. I am going to suggest this.

If you or anyone out there think of anything else, please let me know?

I will update and see what I can come up with.

 

Rafeeq's picture

from the registry value Its pointing to printers 

check this discussion

http://social.technet.microsoft.com/Forums/eu/wins...

usacc23's picture

Rafeeq,

I just read the link from Microsoft Forum. I have a feeling this is the ticket.

 

Thank you again. Both you and Brian81 have helped me in the past.