Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 8314 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Suspicious behaviour in \\.\globalroot

humungo6

I've just noticed that SEC is reporting suspicious behaviour of a file on one of our servers, but it is in \\.\globalroot...

HIPS/RegMod-002 is the reported behaviour for file lmie.tmp\lmi_rescue.exe, which I am fairly certain will be something to do with LogMeIn, which is installed on certain workstations and we will have used with of third parties dialling in remotely. Using the Sophos knowledgebase, as expected, the regmod-002 description is vague at best, due to the nature of the alert.

Now, I'm not too bothered on this one as I think its safe and it has been blocked as it should've been, but how on earth can I obtain a copy of the file for sample submission, even if only for future reference if I see anything similar again?!

I have tried to "Clean up detected items..." but nothing shows up. All that is left for me to do is "Acknowledge alerts and errors...", so I assume that the file isn't there anymore.

Any thoughts would be appreciated.

:2596


This thread was automatically locked due to age.
  • 0

    Hello David,

    the computer details window should show you the path to the file. You'll see a path like this e.g. during logon in a domain and further "down" is the interesting part like \\.\globalroot\device\...\your.domain\netlogon\suspicious.exe.

    But if you think it's legitimate you simply authorize it in the policy (Edit policy -> Auhorization ... -> tab Suspicious).

    HTH

    Christian

    :2599
  • 0

    Christian,

    Thanks for the reply.

    The computer details window is exactly where I discovered the filepath initially. Thanks for the advice on authorisation, but at this moment, its not what I am aiming to do, especially as it is on a server. My concern is that the file - to my knowledge - was not run by either myself or the Network Manager, so would like to get the file sample submitted to Sophos.

    So, in short, the question I am asking, is... Where can I obtain these files?

    Thanks again,

    :2600
  • 0

    So what's the filepath? You could also check the computer's anti-virus log (sav.txt).

    Christian

    :2603
  • 0

    The filepath is showing as:

    \\.\globalroot\device\harddiskdmvolumes\physicaldmvolumes\blockvolume1\winnt\lmie.tmp\lmi_rescue.exe

    I think I'm having a bit of a brain drain - but I just can't think how or where to get that file from (if it still exists)

    :2604
  • 0

    Yikes :smileywink:!

    Don't expect me to know anything about the disk manager and how it calls the devices but before despairing I'd look for a folder named WINNT on one of the local disks (probably the first one). If lmie.tmp is indeed a tmp-folder it might have been created/deleted dynamically.

    You could try Move as cleanup option (in the policy) though (if it has been blocked anyway this should do no harm). 

    Christian 

    :2607
  • 0

    Liking the answer - because I've done just that, but the files is not there. With the amount of excellent advice you dish out in the forum, its nice to know I've been thinking on the same wavelength!

    I will keep searching, but assume, like you've said it may have been deleted dynamically in any case.

    Thanks for all the suggestions :smileyhappy:

    :2609
  • 0

    Thanks for the praise. So you've probably also thought of using Sysinternal's Process Monitor (I just mention it for the others reading this thread of course). :smileywink:

    Anyway, please let us know if you find something

    Christian

    :2611
  • 0

    Yeees.... Sysinternal's Process Monitor... thats the one. Its running now... :smileytongue:

    Never heard of it, but will look into it :smileyhappy:

    As ever, if I do find anything extra, will post

    :2615
Unfiltered HTML