Data Center Security

Hello,

I am tuning a basic policy for DSS 6. I've noticed that the Windows User Experience dll is performing an OpenProcess operation on a bunch of things including the IPS engine. Below is an example. Is this normal for this dll or is it possible that it's been jacked? I've noticed that the module is unsigned...

SOURCE

Agent Name                      deleted
Host Name                       deleted
Host IP Address                 deleted
User Name                       NT AUTHORITY\SYSTEM
Agent Version                   6.0.0.380
OS Type                         Windows
OS Version                      Server 2003 Service Pack 2
Agent Type                      CSP Native Agent

EVENT

Event Type                      Process Access
Event Category                  Real Time - Prevention
Operation                       OpenProcess
Event Severity                  Warning
Event Priority                  45
Acknowledgement Status          false
Event Date                      31-Mar-2014 10:01:15 BST
Post Date                       31-Mar-2014 10:01:18 BST
Post Delay                           00:00:03
Event Count                     1
Event ID                        121133

DETAILS

Description                     Process Modification Allowed for (SVCHOST.EXE) on (C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE).
Policy Name                     Domain Controller Prevention Policy
Process                         C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Module Path                     \WINDOWS\SYSTEM32\AELUPSVC.DLL
Target Process - Sandox         basic_ps
Target Process Name             C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CSC.EXE
Agent State                     Prevention Globally Disabled
Disposition                     Allow
Sandbox                         netsvcs_ps
Operation                       OpenProcess
OS Result                       00000000 (SUCCESS)
SDCSS Result                    00000000 (SUCCESS)
Process ID                      908
Target Process ID               5192
Actual Permissions              001f0fff (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, v
Caller Thread ID                1572
Permissions Requested           001F0FFF (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, vm_write, dup_handle, create_process, set_quota, set_information, query_information, suspend_resume)
Process Signature               Microsoft OS Component (00039437)
Module Signature                Unsigned (00000000)

Can you display the one where its trying to access the IPS engine?

Thanks Alex,

Sure. Here is it.

SOURCE

Agent Name                      deleted
Host Name                       deleted
Host IP Address                 deleted
User Name                       NT AUTHORITY\SYSTEM
Agent Version                   6.0.0.380
OS Type                         Windows
OS Version                      Server 2003 Service Pack 2
Agent Type                      CSP Native Agent

EVENT

Event Type                      Process Access
Event Category                  Real Time - Prevention
Operation                       OpenProcess
Event Severity                  Warning
Event Priority                  45
Acknowledgement Status          false
Event Date                      31-Mar-2014 15:29:22 BST
Post Date                       31-Mar-2014 15:29:23 BST
Post Delay                           00:00:01
Event Count                     1
Event ID                        124827

DETAILS

Description                     Process Modification Allowed for (SVCHOST.EXE) on (E:\PROGRAM FILES\SYMANTEC\DATA CENTER SECURITY SERVER\AGENT\IPS\BIN\SISIPSSERVICE.EXE).
Policy Name                     Domain Controller Prevention Policy
Internal Rule                   .DN
Process                         C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Module Path                     \WINDOWS\SYSTEM32\AELUPSVC.DLL
Target Process - Sandox         sdcss_agent_ps
Target Process Name             E:\PROGRAM FILES\SYMANTEC\DATA CENTER SECURITY SERVER\AGENT\IPS\BIN\SISIPSSERVICE.EXE
Agent State                     Prevention Globally Disabled
Disposition                     Allow
Sandbox                         netsvcs_ps
Operation                       OpenProcess
OS Result                       00000000 (SUCCESS)
SDCSS Result                    00000000 (SUCCESS)
Process ID                      908
Target Process ID               2532
Actual Permissions              001f0fff (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, v
Caller Thread ID                1572
Permissions Requested           001F0FFF (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, vm_write, dup_handle, create_process, set_quota, set_information, query_information, suspend_resume)
Process Signature               Microsoft OS Component (00039437)
Module Signature                Unsigned (00000000)

Hmm.  It looks like its the Application Experience rather than User Experience:

The Application Experience Lookup Service is a part of the Application Compatibility Administrator. The Application Experience Lookup Service provides support for Windows Server 2003 computers on a domain. This service reports on compatibility issues and automatically applies software updates to programs. 

The Application Experience Lookup Service must be running for the software updates be applied. You cannot customize the Application Experience Lookup Service. This service is used by the operating system internally. This service does not use any Active Directory, network, or Internet resources. 

The functionality of the Application Experience Lookup Service can be disabled though Group Policy settings for program compatibility. When this setting is disabled, the service will continue to run, but no calls will be made to the service. The service cannot be stopped or disabled.

So it looks like its just going through the system looking for updates

I would disable that service as per in the instructions in http://support.microsoft.com/kb/902196 and see if its still calling these things.  If it's still calling those processes then its been hijacked by something

Good suggestion. I'm going to try to push this through today. I'll post back results.

Let me know how you get on.  I assume this is a 2003 box, I've done plenty of 2003 boxes with CSP and haven't seen that DLL from my sketchy memory.

Unfortunately there isn't anything in that KB that tells you where to go to disable App experience. It seems though that the issue might be agent related.

Worked out how to disable via GPO. The detections stopped. Looks like it is just something that DSS 6 is picking up that CSP did not.

Has OpenProcess always been detected as a write to the process? I'm not convinced it should be a write... it's causing lots of false positives and the only way to prevent them is to turn off process mod prevention. Not something I'm overly keen to do.

Hmm.... My logic would have it down as a read to the process not a write.  What sort of processes are logging these?  Is it all?  Some?  What type of processes

It was primarily C:\PROGRAM FILES\JAVA\JRE6\BIN\JQS.EXE and SISIPSSERVICE.

Strange, JQS is just the Java QuickStart loader.  Nothing dodgy or nerfarious about that.  I can understand any process action on SISIPSSERVICE throwing a wobbly as its just protecting itself.  No system should be altering or even asking for things to do with the Agent.  They can be safely ignored or removed from logging.