I would really add that directory to your ignore list. The directory is going to aways change so I would also add it to the file integrity ignore list.
-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Sunday, November 04, 2007 11:20 AM To: [email protected] Subject: [ossec-list] Re: Windows rootcheck On 11/3/07, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote: > I have received the following error on a win 2003 svr with exchange 2003 how should I go about checking this. > > rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." > Portion of the log(s): > > NTFS Alternate data stream found: 'C:\/Program Files/Exchsrvr/Mailroot/vsi 1/Queue/NTFS_63bb493301c81d7f00000d86.EML:PROPERTIES-LIVE'. Possible hidden content. > This is your Exchange SMTP queue. It uses alternate data streams to function. >From http://technet.microsoft.com/en-us/library/bb124461.aspx "Messages are categorized only once. For messages in the \Queue folder on the file system, the categorizer uses alternate data streams, a little known NTFS feature, to persist the MailMsg property stream, which includes message envelope and categorization information. Alternate data streams enable data storage in hidden files, which are linked to a visible file on an NTFS partition. When the SMTP service cannot transfer a message immediately and must retry at a later time, the message is saved and closed. Part of that operation involves saving the existing MailMsg property stream, so that it can be reloaded and used when the message transfer is retried. However, if you must categorize a message again (for example, if it is queued for a destination server that no longer exists) you will notice that categorization is not performed a second time." So this is normal. I'm not familiar enough with OSSEC yet to tell you how to silence this, but hopefully somebody else will weigh in on that. Chris
