HIDS 59335
| Rule 1 | |
|---|---|
| Status | Active |
| Alert Message | Windows audit event |
Contents |
[edit] Description
Windows threat protection has indicated file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
This event generates when code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
[edit] What you should do
Investigate this further, at the very least this could indicate a failing component. Malicious code masquerading as legitimate applications will also generate errors in this category.
[edit] Troubleshooting
[edit] False Positives
There are no false positives with this rule.
[edit] Tuning Guidance
There is no guidance for tuning this rule, this is a Windows audit event and the rule should not be disabled.
[edit] Additional Information
[edit] Support
If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!
[edit] Similar Rules
None.
[edit] Knowledge Base Articles
None.
[edit] Outside References
None.
