This post is more than 5 years old
44 Posts
0
672
June 7th, 2011 13:00
hidden.app
Hello all, I was wondering if anyone has seen this before.
I am receiveing many (thousands) event id 560's in my secuity logs regarding successful "object" access to a file called hidden.app within different users personal folders/drives. I have CIFS which contain many user mapped drives and data but home directory option is not setup. I simply have shares/exports designated for individuals.The alert for these 560s is being reported via our RSA envision product.
Interestingly the hidden.app file appears and reappears without intervention. I have been looking for details on this file and file type and haven't turned up any good results yet.
Does anyone know what this might be? Is it Celerra specific, or is it as I think some profile based app call to a users mapped drive.
Celerra NS42G
v5.6.49.3
Rainer_EMC
4 Operator
•
8.6K Posts
0
June 8th, 2011 09:00
Its not Celerra specific – must be one of your client applications
Rainer
umichklewis_ac7b91
300 Posts
0
June 8th, 2011 10:00
Do you have Mac users in your environment? hidden.app is an application for Macs, designed to help in the retrieval of stolen laptops. This might be the application, leaving "evidence" behind. Check with your users and see if this is the case.
Karl
Rainer_EMC
4 Operator
•
8.6K Posts
0
July 7th, 2011 09:00
Did you find out what it was ?
Rainer
drake2
44 Posts
0
July 12th, 2011 06:00
Rainer - sorry for the late response. Yes, my security team mentioned and believed it was a new client management software they had recently deployed. Tivoli/Bigfix. I was told to not investigate further and given few specifics.
Thanks again.
Rainer_EMC
4 Operator
•
8.6K Posts
0
July 12th, 2011 07:00
Sounds like security through obscurity ☺