My company uses the Cisco Security Agent for Host Intrustion Detection. When I open an ultraVNC session (version 1.0.0 RC18), my host IDS alarms with the following message:
"The process "c:\program files\ultravnc\vncviewer.exe" is attempting to insert the code in "c:\program files\ultravnc\vncviewer.exe" into all running processes. This may be symtomatic of a trojan. To prevent further execution, choose "terminate""
If I say "don't terminate", the session runs fine.
Any guesses why my host IDS is seeing this activity?
Thanks,
B
1.0.0 RC 18 upsets my host IDS.
2 posts
• Page 1 of 1
1.0.0 RC 18 upsets my host IDS.
by bstiff » 2004-07-02 21:28
- bstiff
- Posts: 1
- Joined: 2004-07-02 16:09
by Rudi De Vos » 2004-07-02 21:43
The scroll_lock + special key trick.
The only way you can capture thoose special key is by inserting
a hook that capture keyboard input before it reach any application.
If scroll_lock is active key is handled by the viewer, else the key is send to the normal application
Please check the viewer.exe for any virus infection, but I'm
almost sure that the key hooking is causing the alarms to react
If scroll lock is activated, special keys like (alt_tab) are send to the server
instead of being handled as a local special key
The only way you can capture thoose special key is by inserting
a hook that capture keyboard input before it reach any application.
If scroll_lock is active key is handled by the viewer, else the key is send to the normal application
Please check the viewer.exe for any virus infection, but I'm
almost sure that the key hooking is causing the alarms to react
- Rudi De Vos
- Admin & Developer
- Posts: 3524
- Joined: 2004-04-23 10:21
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest