3 Replies Latest reply on Feb 1, 2010 9:35 AM by gitrdonegreg

    ldav.exe creating reg keys?

    Rookie

      Any reason why ldav would be creating entries in the registry? We have security software behavioral based (cisco security agent) blocking this type of activity. I could see an AV product removing known malicious reg keys but not creating keys of its own. There are also a few other process logs that were blocked. Here are a few example of activity that was blocked, all initiated by ldav.exe

       

      The process 'C:\Program Files\LANDesk\LDClient\Antivirus\ldav.exe'  attempted to access the registry key '\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8f01b17a-57c5-4e89-9ee0-d417d7e2be26}', value ''. The attempted access was a write (operation = CREATE/KEY). The operation was denied.

       

      The process 'C:\Program Files\LANDesk\LDClient\Antivirus\ldav.exe'  attempted to insert code ('C:\WINDOWS\system32\hominaki.dll') into another process. All processes were targeted. The operation was denied.

       

      The process 'C:\Program Files\LANDesk\LDClient\Antivirus\ldav.exe'  attempted to access the registry key '\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', value ''. The attempted access was a write (operation = CREATE/KEY). The operation was denied.

       

      At first glance I would actually categrozie this as malicious activity that ldav would block by quarantining the malicious file, not the other way around.

       

      Hope this makes sense.

       

      -Ricketts

       

        • 1. Re: ldav.exe creating reg keys?
          Rookie

          One update, I did notice that the reg keys that LDAV was trying to create (or so it looks like) were associated with the virus that eventually was quarantined.

           

          Kasperskey: Trojan.Win32.ExeDot.cff

           

          Article on ThreatReport: http://www.threatexpert.com/report.aspx?md5=81b6b84e438551702864df108d32da46

           

          *Notice the reg keys listed at the bottom. This varient was just discovered yesterday and posted on the virus watch website. Just trying to get an idea of what ldav's true role was in this situation. Was it trying to quarantine the regkeys/files? Could LDAV been hijacked and used to infect the local system? Questions I don't like having bounce around in my head right before Friday afternoon happy hour

          • 2. Re: ldav.exe creating reg keys?
            LANDave SupportEmployee

            LDAV.EXE does not do much activity that should be touching the registry.  LDAV.EXE is simply the user interface.

             

            Softmon.EXE does have code to modify \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.

             

            However, I do get the feeling that this is malicious activity that LANDesk Antivirus is not detecting.

            • 3. Re: ldav.exe creating reg keys?
              Rookie

              Dave, I agree. Have there been any reports of LDAV.exe getting hijacked? I checked the file sizes ldav.exe on the machine and an unsuspecting machine, both matched, so I don't initially think the executable had been replaced. Could the executable itself have a vulnerability that allows other process to inject code into it?