Re: Unknown Process/Service: eventm (Event Manager)



Alergy wrote:
Hi,

We had a security breach on a server yesterday. Looking through the processes, the following process caught my eye: c:\windows\system32\eventm.exe

It's properties call it the "Services and Controller app" and it runs as a Service called "Event Manager". The Service is a dependency for Event Log.

It all looks ok, but the following things concern me:

- I cannot find any information from Google or the Microsoft site on the service or the process.
- I have never seen Event Log being dependent on another Service, especially not this service.

As I can't find any relevant info, I was wondering if anyone knwos anything about this process/service and whether it is genuine.

It doesn't look OK to me at all. As you say, there is nothing in a search about eventm.exe that would indicate this is a legitimate file. Take down the server, flatten it, apply your most recent backup image. Or replace it with another server running your most recent backup image and take the compromised server off the network for forensic work. You need to determine where your perimeter security fell down and plug that hole or holes.

While I always try to clean a compromised home user's machine, I don't ever suggest doing this for a business - particularly for a server which must be known-clean and secure at all times.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
.