?
Solved

OSSEC Reporting Registry Changes

Posted on 2014-04-14
3
Medium Priority
?
588 Views
Last Modified: 2014-04-15
I have gotten alerts for the following registry change a few nights in a row:

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727\Names'

Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum'


I've ran scans using multiple tools and cannot find anything irregular.  I've also reviewed all firewall rules for the offending machines and don't see anything unusual.  These machines have no outside internet so its easy to review.

Is it normal for these registry values to change?  Are they false alarms in OSSEC?  I cant seem to find much information about them.
0
Comment
Question by:AllDaySentry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000595
What values is it saying changed? If it's only giving you a check-sum, then you need to write down what the values are from day to day...
C:\Users\rich>reg query HKLM\System\CurrentControlSet\Services\hidusb\Enum

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hidusb\Enum
    Count    REG_DWORD    0x3
    NextInstance    REG_DWORD    0x3
    1    REG_SZ    USB\VID_413C&PID_2011&MI_00\7&146842b9&0&0000
    0    REG_SZ    USB\VID_413C&PID_2011&MI_01\7&146842b9&0&0001
    2    REG_SZ    USB\VID_046D&PID_C05A\6&223d6cf2&0&4

Open in new window

This could be a USB printer rebooting, a wireless mouse going to sleep etc... OSSEC can false-positive, but it typically is just very verbose.
-rich
0
 

Author Comment

by:AllDaySentry
ID: 40002539
I only have the checksums at this point.  I didnt realize this value can change every time the USB device reboots or goes to sleep.  

That would make sense why I am seeing it now.  The attached devices are probably being powered off for weekly maintenance, etc.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 40002557
It never hurts to investigate, I may be wrong, but I've seen that before where a printer goes to sleep/reboots and ossec registers some change there.
-rich
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question