False positive - dfrgntfs.exe process

Both Matt and I question the assertion that CWINDOWS\dfrgntfs.exe is a legitimate XP process in this context, for the following reasons: 1. It simply is strange to have it run at the same time as a known compromise since it serves no sensible purpose. 2. It's not on our MITRE-imaged laptops. 3. I have a local copy of Agent-Master-19 as my personal development environment, and it's presumably in the same lineage as whatever the current Agent-Master is, and it too has no CWINDOWS\dfrgntfs.exe.

So I'm wondering what the criteria was for saying this was legit? Were there no associated file write events prior to process execution? Does the exe exist on the clean Agent-Master? If it does, did we make new images between 19 and whatever the newest is? If not, you might want to do a binary search over the revisions in-between to see if it was added at some point before we were using capture?

And even if it turns out that the process itself is legitimate, I think the more appropriate action would be to search if there is a periodic defragment type event occurring, and disable it. That way, if for whatever reason, the exe is being launched by the malware, we still want to know that this is occurring.

To be clear, the false positive was NOT for this:

C:\WINDOWS\dfrgntfs.exe

But rather, for this:

C:\WINDOWS\system32\dfrgntfs.exe

This process is present on all valid Windows XP SP2 systems, including yours and the master VMs.

Here is some information about this process:

http://64.233.169.104/search?q=cache:http%3A%2F%2Fwww.experts-exchange.com%2FOperating_Systems%2FWinXP%2FQ_20977204.html

http://forums.techguy.org/windows-nt-2000-xp/230010-dfrgntfs-exe-when-idle.html

Replying to xkovah:

Both Matt and I question the assertion that C:\WINDOWS\dfrgntfs.exe is a legitimate XP process in this context, for the following reasons: 1. It simply is strange to have it run at the same time as a known compromise since it serves no sensible purpose. 2. It's not on our MITRE-imaged laptops. 3. I have a local copy of Agent-Master-19 as my personal development environment, and it's presumably in the same lineage as whatever the current Agent-Master is, and it too has no C:\WINDOWS\dfrgntfs.exe. So I'm wondering what the criteria was for saying this was legit? Were there no associated file write events prior to process execution? Does the exe exist on the clean Agent-Master? If it does, did we make new images between 19 and whatever the newest is? If not, you might want to do a binary search over the revisions in-between to see if it was added at some point before we were using capture? And even if it turns out that the process itself is legitimate, I think the more appropriate action would be to search if there is a periodic defragment type event occurring, and disable it. That way, if for whatever reason, the exe is being launched by the malware, we still want to know that this is occurring.

Good questions. I have some more information to add to my original post. First of all, our honeyclients visited the exact same above URL on two separate instances, each time with different VMs. The resulting malware (installed on the VM honeyclient hosts) were the same in both cases. There was a difference though - one VM had dfrgntfs.exe process running, and the other VM did not. This behavior made me suspect that it's possible Windows XP starts off the dfrgntfs.exe process every so often, to clean up the hard disk. If you'd like to compare, check out the difference between these two VMids:

c080c514b7ec7eebddf16e3943

5dfeeec546bacce902908a1634

Fixed in r1275.