Re: Unknown Process/Service: eventm (Event Manager)



Alergy wrote:
Hi,

We had a security breach on a server yesterday. Looking through the processes, the following process caught my eye: c:\windows\system32\eventm.exe

It's properties call it the "Services and Controller app" and it runs as a Service called "Event Manager". The Service is a dependency for Event Log.

It all looks ok, but the following things concern me:

- I cannot find any information from Google or the Microsoft site on the service or the process.
- I have never seen Event Log being dependent on another Service, especially not this service.

As I can't find any relevant info, I was wondering if anyone knwos anything about this process/service and whether it is genuine.

It doesn't look OK to me at all. As you say, there is nothing in a search about eventm.exe that would indicate this is a legitimate file. Take down the server, flatten it, apply your most recent backup image. Or replace it with another server running your most recent backup image and take the compromised server off the network for forensic work. You need to determine where your perimeter security fell down and plug that hole or holes.

While I always try to clean a compromised home user's machine, I don't ever suggest doing this for a business - particularly for a server which must be known-clean and secure at all times.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
.



Relevant Pages

  • Re: What are the best general things to do after a dirty shutdown (Server SBS)
    ... Microsoft Windows Small Business Server 2003 Best Practices Analyzer ... After that, please post any event log errors, just the EventID# and Source names, not the whole error message. ... error 15100 Win32 Error 15100. ... One is indicating it can't retrieve info about the System log. ...
    (microsoft.public.windows.server.sbs)
  • Re: What are the best general things to do after a dirty shutdown (Server SBS)
    ... test network connectivity to local domain controllers. ... Directory Server Diagnosis ... Verifying that the local machine ALPHA, ... The File Replication Service Event log test ...
    (microsoft.public.windows.server.sbs)
  • Re: What are the best general things to do after a dirty shutdown (Server SBS)
    ... Microsoft Windows Small Business Server 2003 Best Practices Analyzer ... After that, please post any event log errors, just the EventID# and Source names, not the whole error message. ... (Event String (event log = Directory Service) ...
    (microsoft.public.windows.server.sbs)
  • Re: Server2003 2008 error !!
    ... Remove the x.x.1.x form the NIC of the DCs and configure it as a FORWARDER or use directly the ISPs DNS server as Forwarders in the DNS server properties in the DNS management console. ... On the 2008 make sure the internal firewall is not blocking AD replication, by default the firewall is enabled ion 2008. ... The event log File Replication Service on server ... EventID: 0x000003EE ...
    (microsoft.public.windows.server.active_directory)
  • Re: What are the best general things to do after a dirty shutdown (Server SBS)
    ... Microsoft Windows Small Business Server 2003 Best Practices Analyzer ... After that, please post any event log errors, just the EventID# and Source names, not the whole error message. ... One is indicating it can't retrieve info about the System log. ...
    (microsoft.public.windows.server.sbs)