Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
181
Views
0
Helpful
1
Replies

Why would RaKrnlNT.SYS be receiving redirected system calls (message logged

p-lees
Level 1
Level 1

‎04-26-2004 01:45 AM - edited ‎03-09-2019 07:10 AM

Does anyone know what RaKrnlNT.SYS is on a windows XP machine ?

I keep seeing logs from our IDS system showing that this file is having system calls redirected to it....................i am also seeing similar logs for the following file WNT_FAL.sys.

Anyone any thoughts ?

The full log output is ..

The system call table (index 0) has changed. One of the 1 changed entries is at entry 240. This means that a system call has been redirected inside the kernel. The new destination of the system call is in module 'C:\WINDOWS\System32\Drivers\RaKrnlNT.SYS'. If this is unexpected, then the system should be carefully examined for evidence of a trojan or rootkit. The hash of this module is 'E1D984B32A54792D25605C42A438DEC39E45784C', and the version number is 4.50.23508.0

Labels:
0 Helpful
1 Reply 1

umedryk
Level 5
Level 5

‎04-30-2004 10:58 AM

Try if changing the rtvscan rules would work

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents