[SID: 23179] Intrusion Detection alerts received on a Symantec Endpoint Protection client for ntoskrnl.exe
Last Updated February 07, 2014
Why am I receiving alerts for ntoskrnl.exe on a SEP client? Is SEP truly blocking a legitimate Windows process or is this some type of attack?
Logs will contain alerts very similar to the following:
Severity: Critical, Event: Intrusion Detection System, Description: [SID: 23179] MSRPC Server Service BO detected.
Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe
This may also be listed as "OS Attack: MSRPC Server Service RPC CVE-2008-4250"
This is an Intrusion Prevention System (IPS) alert. This alert most likely indicates that a threat is trying to exploit Windows vulnerabilities in the Server service's handling of MSRPC requests, as described in Microsoft Security Bulletin MS08-067. The most well known threat which targeted this vulnerability is the W32.Downadup (aka Conficker) family of worms.
Check for any detections of W32.Downadup or other threats within your environment, and take steps to isolate and then clean the affected systems.