Description: This event is generated when an mstream handler attempts to identify active agents.
Impact: Severe. If the listed source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream agent.
Corrective: Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. Rebuild a confirmed compromised host. Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.