cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firefox is triggering hundreds of false positives due to sqlite-wal files

Endpoints in my organization running Firefox will randomly trigger DLP alerts for SSN, Credit Cards or other policy and the evidence file is either cookies.sqlite-wal or places.sqlite-wal. These files are all located in the user's AppData Folder tree. I've been unable to stop it. When the policy is triggered, I never see a path so I'm unclear as to how or why it is happening. While I have policy that monitors file attachments in web browsers, users are not (and I verified) attaching these files to a file upload request. This is internal operations of the browser. I've checked the Windows Client Policy. Under Firefox there is an exclusion for some files under the system AppData folder. I've added .sqlite-wal to the list, no effect. Under the local user's AppData folder, it lists 'all files' so there is nothing to add. Is anyone else seeing this?
4 Replies
jsubbura
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Firefox is triggering hundreds of false positives due to sqlite-wal files

Hi @notme12345 ,

Thank you for writing in here.

Could you please share us the configuration which you have made in the windows client configuration policy, may be a screenshot? 

And can you try to exclude the sqlite-wal file extension in the Rule's exception tab and see if that works for you?

 

Thank you.

Regards,
Jithendran S
McAfee Employee

Re: Firefox is triggering hundreds of false positives due to sqlite-wal files

we have the standard windows client policy. According to that policy, all files within the firefox appdata folders are supposed to be excluded.mcafee client policy.png

jsubbura
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Firefox is triggering hundreds of false positives due to sqlite-wal files

Hi @notme12345 ,

thank you for the screenshot, your white-listed process policy should do the trick! 

However, can you try excluding the .sqlite-wal in the rule which is triggering the Incidents, sample exception creation is given below ,

Kindly try and share us the results.

web rule.PNGcontclass.PNGfileext.PNGsqlwaldef.PNG

 

Thank you.

Regards,
Jithendran S
McAfee Employee

Re: Firefox is triggering hundreds of false positives due to sqlite-wal files

Yes that is a solution, just the product is not working as it should. With the Windows Client policy configured to not look at files in the folders where these files exist, it should eliminate any need to add my own rule to perform this action.

 

McAfee Endpoint Development - do you see these? you need to check how your client policies work with respect to Firefox. Apparently it is not exempting the files in the Firefox AppData folders as specified by the policy.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community