Houston Security User Group

 View Only
  • 1.  Registry Leaks

    Posted Jan 13, 2013 09:11 PM

    Currently we have windows Servers with Only AV/Malware protection. We use a application called ImageRight, it's used for printing.

    Also Servers are at SEP 11. RU 1. In process of upgrading to SEP 11 RU 3 then to 12.1.2 in near future.

    Now with my question?

    Has anyone seen this type of error before? It's in the Event Logs as a Warning.

    There is a Windows KB Article ID: 947238 which kinda relates.

     

    DETAIL -

     2 user registry handles leaked from \Registry\User\S-1-5-21-1390108520-675970526-1691616715-84626:

    Process 376 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1390108520-675970526-1691616715-84626\Printers\DevModePerUser

    Process 2068 (\Device\HarddiskVolume1\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1390108520-675970526-1691616715-84626\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

     

    It is currently believed that SEP is causing this issue, but from my point of view I think this is a false positive. Almost makes me wonder if this is a Rootkit. I have never seen this error before and and we currently have intermitent error occuring.

    Any suggestions, would be helpful.

     

     



  • 2.  RE: Registry Leaks

    Posted Jan 13, 2013 09:14 PM

    What happens if you disable SEP? Or even uninstall?

    When did it start? When SEP was installed?



  • 3.  RE: Registry Leaks

    Posted Jan 13, 2013 09:28 PM

    Have Not tried this as I just found out about this late Friday. There is some type of conflict even when we Exclude the folders and Extentions. SEP was installed well over 2 years ago. We have had multiple issues and cannot narrow them down. This error is the 1st time I have seen this in the Event Logs. These are productions system and we don't want to remove Security from them. I have even thought of upgrading this to SEP 12 as this even took 2 servers down for well over 2 hours. This has never  happened before.

     

     



  • 4.  RE: Registry Leaks

    Posted Jan 13, 2013 09:31 PM

    I am now wondering if this a JAVA issue.



  • 5.  RE: Registry Leaks

    Posted Jan 13, 2013 09:34 PM

    Can you try turning off auto-protect for a short period of time to see what the result it?



  • 6.  RE: Registry Leaks

    Posted Jan 13, 2013 09:44 PM

    That would be good except, the errors only occur maybe once or twice a month. I don't feel comfortable turning off autoprotect. If there is a Rootkit or even a Java issue, I don't think that will help much.

    If you have any other suggestions, that would be great. You have helped me before, and I appreciate your assistance.



  • 7.  RE: Registry Leaks

    Posted Jan 13, 2013 09:51 PM

    If SEP were the problem, I would think you would see the issue come up more often.

    Have you tried running a rootkit checker suck as GMER or TDSS Killer?

    Can you upgrade or just remove JAVA?



  • 8.  RE: Registry Leaks

    Posted Jan 13, 2013 10:24 PM

    No, I am going to do that tommorrow, I hope.

    We have a Root Cause Analysis meeting in the AM. I am going to suggest this.

    If you or anyone out there think of anything else, please let me know?

    I will update and see what I can come up with.

     



  • 9.  RE: Registry Leaks

    Posted Jan 14, 2013 12:30 AM

    from the registry value Its pointing to printers 

    check this discussion

    http://social.technet.microsoft.com/Forums/eu/winserverTS/thread/acf28f00-8aba-4725-bce2-5852de895210



  • 10.  RE: Registry Leaks

    Posted Jan 14, 2013 12:46 AM

    Rafeeq,

    I just read the link from Microsoft Forum. I have a feeling this is the ticket.

     

    Thank you again. Both you and Brian81 have helped me in the past.