I would try a different USB key and see if it creates another registry entry. My understanding (not having looked at it recently) is that it creates an entry for each USB device it sees, putting the same one back in, may not change anything because the entry already exists.
-- Jim Clausing GCFA, GCIA, GCIH, GCFW, GSIP, GSOC, GREM, CISSP, CCSA On or about Tue, 25 Mar 2008, David Williams pontificated thusly: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chuck, > That exhausts what little I know about OSSEC on Windows. I would > expect someone else to be able to help out with better ideas. > -David > > Chuck Braden wrote: > | Tried the same USB today. No integrity scan hash change. Stopped and > started task with media in and then ejected and stopped/started again. Still > no email of hash change. > | > |>>> David Williams <[EMAIL PROTECTED]> 3/24/2008 6:08 PM >>> > | > | Chuck, > | Did you give OSSEC time to rescan? I think within in the <syscheck> > block, the <frequency> block is time between scans in seconds; I think > default is once every 4 hours. You may want to restart OSSEC when testing > integrity checking to be sure the files/registry is rescanned. > | -David > | > | > | Chuck Braden wrote: > | | Yep, I tried the same thumb drive out and in a couple of times and no > such message. Interesting. > | | > | |>>> David Williams <[EMAIL PROTECTED]> 3/24/2008 1:56 PM >>> > | | > | | Well, I can't really speak for Windows users, but I'm pretty sure the > Enum registry keys below should change whenever there is a change to the > storage systems available (such as a USB key being loaded or unloaded). And > I wouldn't be too surprised that A/V software also kept track of storage > systems available and whether they have been scanned or not. I don't think I > would worry about these -- but I might swap USB keys a couple times and wait > to see if OSSEC warns about the same keys (as I would expect it to). > | | I hope that helps, > | | -David > | | > | | Chuck Braden wrote: > | | | I received a notification this morning on MY desktop regarding a hash > change. They seem to be for symantec AV registry keys. Nothing changed (that > I know of) on my system.. other than a USB thumb drive was ejected. Any idea > where I can get some more details on what this was flagging? > | | | > | | |>>> OSSEC HIDS <> 3/24/2008 10:04 AM >>> > | | | OSSEC HIDS Notification. > | | | 2008 Mar 24 10:04:11 > | | | > | | | Received From: (jcbgateway) someIPhere->syscheck-registry > | | | Rule: 550 fired (level 7) -> "Integrity checksum changed." > | | | Portion of the log(s): > | | | > | | | Integrity checksum changed for: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum' > | | | Old md5sum was: 'fbec8592b945ad389ff95b69990f7e0e' > | | | New md5sum is : 'df381861064740470a5ac7518b3a166e' > | | | Old sha1sum was: 'f5fca98d8bded7f4dd89597ebb9a8f46d898e255' > | | | New sha1sum is : '07421beef1a6cd6e394618aa6055a909267a1f2a' > | | | > | | | > | snip > | | > | > > - -- > _______________________________________________ > GPG (http://www.gnupg.org/) key available from: > http://www.kayakero.net/per/david/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.8 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFH6VMQCzuSgviBh00RAmKoAJ4+H2Pf+J6VeNFMrJCweeYrHgL2/gCfUKxg > iMxn/NEewKRuu7Nqcx8l/2Q= > =CY41 > -----END PGP SIGNATURE----- >
