Re: Unknown Process/Service: eventm (Event Manager)

Alergy wrote:

We had a security breach on a server yesterday. Looking through the
processes, the following process caught my eye:

It's properties call it the "Services and Controller app" and it runs
as a Service called "Event Manager". The Service is a dependency for
Event Log.

It all looks ok, but the following things concern me:

- I cannot find any information from Google or the Microsoft site on
the service or the process.
- I have never seen Event Log being dependent on another Service,
especially not this service.

As I can't find any relevant info, I was wondering if anyone knwos
anything about this process/service and whether it is genuine.

It doesn't look OK to me at all. As you say, there is nothing in a
search about eventm.exe that would indicate this is a legitimate file.
Take down the server, flatten it, apply your most recent backup image.
Or replace it with another server running your most recent backup image
and take the compromised server off the network for forensic work. You
need to determine where your perimeter security fell down and plug that
hole or holes.

While I always try to clean a compromised home user's machine, I don't
ever suggest doing this for a business - particularly for a server which
must be known-clean and secure at all times.

First. Always when you see suspicious process try find it on this site: (BTW it know nothing about your eventm.exe).

Second. Find out time when this file was copied on your server - if you
remember, that there were no program installation at that time, so there
is great probability, that this is some trojan.

Third. With netstat utility or tcpview from wininternals try to find out
is there some network connections initiated by this service (or if it
listens for some port) - if so, and you sure that this is not what you
want - there is even more great probability, that you catch trojan.

Fourth - disable this service (if I understand right, this process
installed itself as a service), if all working fine - try to remove it
completely (with sc utility for example).

With best regards
Nickolay Domukhovsky, MCSA