?
Solved

OSSEC Reporting Registry Changes

Posted on 2014-04-14
3
Medium Priority
?
603 Views
Last Modified: 2014-04-15
I have gotten alerts for the following registry change a few nights in a row:

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727\Names'

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum'


I've ran scans using multiple tools and cannot find anything irregular.  I've also reviewed all firewall rules for the offending machines and don't see anything unusual.  These machines have no outside internet so its easy to review.

Is it normal for these registry values to change?  Are they false alarms in OSSEC?  I cant seem to find much information about them.
0
Comment
Question by:AllDaySentry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000595
What values is it saying changed? If it's only giving you a check-sum, then you need to write down what the values are from day to day...
C:\Users\rich>reg query HKLM\System\CurrentControlSet\Services\hidusb\Enum

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum
    Count    REG_DWORD    0x3
    NextInstance    REG_DWORD    0x3
    1    REG_SZ    USB\VID_413C&PID_2011&MI_00\7&146842b9&0&0000
    0    REG_SZ    USB\VID_413C&PID_2011&MI_01\7&146842b9&0&0001
    2    REG_SZ    USB\VID_046D&PID_C05A\6&223d6cf2&0&4

Open in new window

This could be a USB printer rebooting, a wireless mouse going to sleep etc... OSSEC can false-positive, but it typically is just very verbose.
-rich
0
 

Author Comment

by:AllDaySentry
ID: 40002539
I only have the checksums at this point.  I didnt realize this value can change every time the USB device reboots or goes to sleep.  

That would make sense why I am seeing it now.  The attached devices are probably being powered off for weekly maintenance, etc.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 40002557
It never hurts to investigate, I may be wrong, but I've seen that before where a printer goes to sleep/reboots and ossec registers some change there.
-rich
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What we learned in Webroot's webinar on multi-vector protection.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question