Hi all,
I was hoping to get some help with the following event. This is a IIS based web server and I keep getting the below event. As far as I can tell, there is no way to whitelist this behaviour. Any tips?
SOURCE
Agent Name xxxx
Host Name xxxx
Host IP Address x.x.x.x
User Name NT AUTHORITY\SYSTEM
Agent Version 6.0.0.380
OS Type Windows
OS Version Server 2008 R2 Service Pack 1
Agent Type CSP Native Agent
EVENT
Event Type Process Access
Event Category Real Time - Prevention
Operation OpenProcess
Event Severity Warning
Event Priority 45
Acknowledgement Status false
Event Date 12-Aug-2014 20:00:49 BST
Post Date 12-Aug-2014 20:00:51 BST
Post Delay 00:00:02
Event Count 1
Event ID 1648487
DETAILS
Description Process Modification Allowed for (W3WP.EXE) on (SYSTEM).
Policy Name Web server hardened policy BETA
Process C:\WINDOWS\SYSWOW64\INETSRV\W3WP.EXE
Module Path C:\WINDOWS\SYSTEM32\WOW64CPU.DLL
Target Process - Sandox kernel_ps
Target Process Name SYSTEM
Agent State Prevention Globally Disabled
Disposition Allow
Sandbox iis_ps
Operation OpenProcess
OS Result 00000000 (SUCCESS)
SDCSS Result 00000000 (SUCCESS)
Process ID 9440
Target Process ID 4
Actual Permissions 001fffff (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, v
Caller Thread ID 10236
Permissions Requested 001FFFFF (delete, read_control, write_dac, write_owner, synch, terminate, create_thread, set_sessionid, vm_operation, vm_read, vm_write, dup_handle, create_process, set_quota, set_information, query_information, suspend_resume, query_limited_information)
Process Signature Microsoft OS Component (00039437)
Module Signature Unsigned (00000000)