I received a notification this morning on MY desktop regarding a hash change. They seem to be for symantec AV registry keys. Nothing changed (that I know of) on my system.. other than a USB thumb drive was ejected. Any idea where I can get some more details on what this was flagging?
>>> OSSEC HIDS <> 3/24/2008 10:04 AM >>> OSSEC HIDS Notification. 2008 Mar 24 10:04:11 Received From: (jcbgateway) someIPhere->syscheck-registry Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum' Old md5sum was: 'fbec8592b945ad389ff95b69990f7e0e' New md5sum is : 'df381861064740470a5ac7518b3a166e' Old sha1sum was: 'f5fca98d8bded7f4dd89597ebb9a8f46d898e255' New sha1sum is : '07421beef1a6cd6e394618aa6055a909267a1f2a' --END OF NOTIFICATION OSSEC HIDS Notification. 2008 Mar 24 10:04:11 Received From: (jcbgateway) someIPhere->syscheck-registry Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)." Portion of the log(s): Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG' Old md5sum was: 'd750d2bf68da6170b2f21c2153052e9f' New md5sum is : 'd6c3d6e26ff4a0409e117ea8f3adb296' Old sha1sum was: '8d4691b2ddbc4d8b879e82990bb75301298af03e' New sha1sum is : '7b2cbea271fb1dc42b52fd6ef9993be228b3483f' --END OF NOTIFICATION OSSEC HIDS Notification. 2008 Mar 24 10:04:11 Received From: (jcbgateway) someIPhere->syscheck-registry Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)." Portion of the log(s): Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15' Old md5sum was: '7dd0cc4ffc1996a6463f79bbe45e5a7b' New md5sum is : '13779b3be17235b73b946deaeeeae24d' Old sha1sum was: 'f7b56139d83cff43c147251dfcfd0b19a49c03fd' New sha1sum is : '6e0ed78078a0621c406165ecc2cba462495f82e8' --END OF NOTIFICATION OSSEC HIDS Notification. 2008 Mar 24 10:04:11 Received From: (jcbgateway) someIPhere->syscheck-registry Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PartMgr\Enum' Old md5sum was: '2465bc08ee24c96a71f5ba9c6940b99a' New md5sum is : 'aac6f631fdde5d7d94831507b399c140' Old sha1sum was: '797289bb9e7ad6b6fe206300a71b9277f02c2e38' New sha1sum is : '109d58fd28f6b131d7a3924051310fdfcfbd5006' --END OF NOTIFICATION OSSEC HIDS Notification. 2008 Mar 24 10:04:11 Received From: (jcbgateway) someIPhere->syscheck-registry Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd time)." Portion of the log(s): Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPBBCDrv\Parameters' Old md5sum was: '153b492dc360e76f3c7b4cb8773e56b0' New md5sum is : 'fa7cdffcd9d50a2ea7156a1e25f28ffd' Old sha1sum was: 'ebf0d781d3c87d863737b8dc9bca708189d8a19d' New sha1sum is : 'fb6b066a729403377d01055225dcdfbace5c5901' --END OF NOTIFICATION OSSEC HIDS Notification. 2008 Mar 24 10:04:11 Received From: (jcbgateway) someIPhere->syscheck-registry Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\usbstor\Enum' Old md5sum was: 'a4219276c45e697b60ae0e601d9eb217' New md5sum is : '1da3f721a64ce699d121dc59cda77cd3' Old sha1sum was: '0b838f5e2e1d6dc8ea5170183b3aae22c569a898' New sha1sum is : '3197b53d97c594aec135dbe32a050ca20372d16c' --END OF NOTIFICATION tia matthias
