Hi Ozgur, This is strange.. svchost.exe should not be running outside of the system32 dir on a 32 bits system. Did you run an anti-virus in this box to see what it finds? This is the first time I see a false positive in this check. (in fact, all the times I saw it alerting was on real malware)
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Feb 15, 2010 at 5:40 AM, Ozgur Ozdemircili <[email protected]> wrote: > Hi, > > Today I got this from one of our servers. > > Received From: (E-Business) 10.xx.xx.xx->rootcheck > Rule: 513 fired (level 9) -> "Windows malware detected." > Portion of the log(s): > > Windows Malware: Possible Malware - Svchost running outside system32. > Process: svchost.exe. > > Searching the lists there seems to be a bug on 64 bit OS`s. > > http://www.mail-archive.com/[email protected]/msg02182.html > > Yet the interesting thing is the server is clean and it is NOT a 64 bit. > > Any ideas? > > > > Özgür Özdemircili >
