Data Center Security

Hi all,

I was hoping to get some help with the following event. This is a IIS based web server and I keep getting the below event. As far as I can tell, there is no way to whitelist this behaviour. Any tips?

SOURCE

Agent Name                      xxxx
Host Name                      xxxx
Host IP Address                 x.x.x.x
User Name                       NT AUTHORITY\SYSTEM
Agent Version                   6.0.0.380
OS Type                         Windows
OS Version                      Server 2008 R2 Service Pack 1
Agent Type                      CSP Native Agent

EVENT

Event Type                      Process Access
Event Category                  Real Time - Prevention
Operation                       OpenProcess
Event Severity                  Warning
Event Priority                  45
Acknowledgement Status          false
Event Date                      12-Aug-2014 20:00:49 BST
Post Date                       12-Aug-2014 20:00:51 BST
Post Delay                           00:00:02
Event Count                     1
Event ID                        1648487

DETAILS

Description                     Process Modification Allowed for (W3WP.EXE) on (SYSTEM).
Policy Name                     Web server hardened policy BETA
Process                         C:\WINDOWS\SYSWOW64\INETSRV\W3WP.EXE
Module Path                     C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
Target Process - Sandox         kernel_ps
Target Process Name             SYSTEM
Agent State                     Prevention Globally Disabled
Disposition                     Allow
Sandbox                         iis_ps
Operation                       OpenProcess
OS Result                       00000000 (SUCCESS)
SDCSS Result                    00000000 (SUCCESS)
Process ID                      9440
Target Process ID               4
Actual Permissions              001fffff (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, v
Caller Thread ID                10236
Permissions Requested           001FFFFF (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, vm_write, dup_handle, create_process, set_quota, set_information, query_information, suspend_resume, query_limited_information)
Process Signature               Microsoft OS Component (00039437)
Module Signature                Unsigned (00000000)

Have you tried right clicking on the event and creating a rule based on that?

The Disposition looks like it would allow it.  I assume this rule was created when prevention mode was disabled?  It's put everything in the right sandboxes too.  Can you not enable prevention to see what the true error (if any) would be?

Thanks Alex! Yes I've created a rule with the wizard to allow W3WP to have write access to SYSTEM but it seems to just not take this rule into account. I.E.: The event still fires. This makes me think it might be firing because of either a hardcoded rule, a rule further upstream (global) or because CSP just doesn't know how to whitelist "SYSTEM".

It's a head-scratcher.

I've never seen an event display the System process.  That's esentially just a placeholder for distributing cpu and memory to other parts of the system OS and doesn't actually represent any sort of file or folder.

Does it actually prevent anything from functioning?  

No idea. This is in prod so I can't really turn on prevention without getting this sorted first. I believe I will need to log a call. I'll post back the result.

Live policy creation on production servers?!  You are a brave man 

No choice in this case.