Solved

OSSEC Reporting Registry Changes

Posted on 2014-04-14
3
576 Views
Last Modified: 2014-04-15
I have gotten alerts for the following registry change a few nights in a row:

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727\Names'

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum'


I've ran scans using multiple tools and cannot find anything irregular.  I've also reviewed all firewall rules for the offending machines and don't see anything unusual.  These machines have no outside internet so its easy to review.

Is it normal for these registry values to change?  Are they false alarms in OSSEC?  I cant seem to find much information about them.
0
Comment
Question by:AllDaySentry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000595
What values is it saying changed? If it's only giving you a check-sum, then you need to write down what the values are from day to day...
C:\Users\rich>reg query HKLM\System\CurrentControlSet\Services\hidusb\Enum

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum
    Count    REG_DWORD    0x3
    NextInstance    REG_DWORD    0x3
    1    REG_SZ    USB\VID_413C&PID_2011&MI_00\7&146842b9&0&0000
    0    REG_SZ    USB\VID_413C&PID_2011&MI_01\7&146842b9&0&0001
    2    REG_SZ    USB\VID_046D&PID_C05A\6&223d6cf2&0&4

Open in new window

This could be a USB printer rebooting, a wireless mouse going to sleep etc... OSSEC can false-positive, but it typically is just very verbose.
-rich
0
 

Author Comment

by:AllDaySentry
ID: 40002539
I only have the checksums at this point.  I didnt realize this value can change every time the USB device reboots or goes to sleep.  

That would make sense why I am seeing it now.  The attached devices are probably being powered off for weekly maintenance, etc.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 40002557
It never hurts to investigate, I may be wrong, but I've seen that before where a printer goes to sleep/reboots and ossec registers some change there.
-rich
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question