|
Hi,
I have two virtualization environments for capture client. One is VMWare Server 1.0.7 and the other is VMWare ESXi 2.0. I installed capture client 2.5.1-389 on each virtualizaiton envrionments. After that, I tested each capture clients with 100 URLs which have malicious URL but not all. The capture client on VMWare Server seems to work very well. However, the capture client on ESXi dosen't work. That is, the capture client on ESXi says all URLs are malicious becasue svchost.exe write a files on Internet temprary directory such as "file","12/11/2008 2:39:23.704","C:\WINDOWS\system32\svchost.exe","Write","C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat","-1".
I wonder whether svchost.exe is malicious or not. I guess it is not malicious so I added svchost.exe to the process exclusion list. After that, capture client does not find any malicious URLs. The capture client on VMWare Server found a malicious URL which changes registery related to firewall policy as following.
"registry","6/11/2008 12:4:9.357","C:\Program Files\Internet Explorer\IEXPLORE.EXE","SetValueKey","HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\1043:UDP","-1"
I guess the capture client on ESXi has still problem.
Does anybody meet the same problem?
I have no idea why the results of two capture clients are different. Have anybody good idea to fix the problem?
Best Regards, S. Jung
|
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
