HIPS/3/ROOTKITATTACK

Message

HIPS/3/ROOTKITATTACK: Rootkit has been detected. (eventCategory=[event-category], occurTime=[occurTime], result=[result], rootkitName=[rootkitName], detectionType=[detectionType], detectedThreat=[detectedThreat], detectionSource=[detectionSource], slot=[slot], card=[card], cpu=[cpu], barcode=[barcode])

In VS mode, this log is supported only by the admin VS.

Description

The rootkit malicious file is detected. Rootkit is a tool used by an attacker to hide traces and reserve the root access permissions during attacks. The rootkit attack has long and persistent effects. The attacker can use the rootkit to hide files, processes, network connections, and kernel modules and obtain the highest permission of the host.

Parameters

Parameter Name Parameter Meaning

event-category

Event classification:

1016: NE intrusion alarm

occurTime

Time when the event occurs.

result

Result.

rootkitName

Rootkit name.

detectionType

Detection type:

  • known-directory
  • known-file
  • known-symbol
  • possible-string
  • possible-file

detectedThreat

File mode.

detectionSource

Matched source information.

slot

Slot ID.

card

Subcard ID.

cpu

CPU ID.

barcode

Barcode that uniquely identifies a board.

Possible Causes

A system file that meets the rootkit feature is detected on the device.

Procedure

Isolate the device from the network immediately and submit the log information to Huawei engineers for analysis.

Parent Topic: HIPS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >