cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

We are getting 1000's of these alerts on ePo;

DOMAIN\username ran C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, which tried to access the file C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\IE\40AC49C8\CalendarSync[5].ics, violating the rule "Microsoft Outlook VEVENT Vulnerability", and was blocked.

Our users have access to a internet calendar and it looks like every time Outlook refreshes the calendar, we get a batch of these alerts.

I've tried adding the file as an exclusion in our Exploit Prevention policy, but we still get the alerts.  Does anyone know how i can prevent this??

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 8

Re: Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

Thank you for responding. Great, in that case, please disable this rule as leaving it enabled will cause many false positive events.

Also please see my previous answer in regards to why that exclusion won't have worked for you.

View solution in original post

7 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 8

Re: Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

Hi @LorettoSchool 

May I ask which version of Outlook your users are running? The reason I ask, is because this rule should only be enabled if you are using Outlook 2002 and 2003. If you are not using these versions, you need to disable this rule.

Which exclusion did you add btw? For any ENS component, you can only exclude the SOURCE process and not the target. In this case it would be outlook.exe which if you set this would leave the rule completely pointless.

Re: Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

Thanks for replying.  We are running Outlook 2019, version 1808.

I added a Files-Processes-Registry exclusion.  adding the following file name; calendar*.ics

I used the wildcard, as the file name seems to be different for some users. 

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 8

Re: Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

Thank you for responding. Great, in that case, please disable this rule as leaving it enabled will cause many false positive events.

Also please see my previous answer in regards to why that exclusion won't have worked for you.

View solution in original post

SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 8

Re: Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

https://de.wikipedia.org/wiki/ICalendar

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-003

 

You can Always filter on the EPO. Or Write an SQL Query which filters them > Or Mcafe do their work and give out a IPS Recommandation table (What to TURN on and OFF) Based on

a) OS/OFFICE Version b) INDUSTRY c) Risk behavior

and customer implements thats. Maybe an ONLINE CHECKBOX form and it generates a XML Policy for ENS you can import? No not gone post to ideas….Would save 1'000'000 hrs of support worlwide.

 

NO disabling the RULE is not VERY SMART. Thats NOT what we pay you guys for so we disable 50% of what we pay for. The Exploit came back and back as we understood.

* Why does the RULE itself not check if OUTLOOK Version X is Installed. We understand that IPS engine can't Maybe do that. But we ASUME that if have a product with s many MODULES you can POST PROCESS the Events on the client. Or let's asume the EPO has the Inof for OFFICE (It has the OS info) and then filters automatic.

* What if he has 2'000 OF2016 and 2 DMZ machines with Office old version?

 

* IF an user send an INVITATION throught E-Mail and includes an ICS appointment FILE this the triggering rule. There is a LEAK VEVENT which missueses the ICS file to import MALWARE with the .ICS attachment file.

 

 

 

 

 

 

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 8

Re: Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

@SWISS  this is actually written into the signature description within ePO. For this one in specific it says for Outlook 2002 and 2003 only as Microsoft have addressed the vulnerability in higher versions.

You will see such a description for each signature.

 

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

Hi @LorettoSchool,

Thank you for your post. This Exploit Prevention Rule is in place to prevent from VEVENT Vulnerability. This is explained here.

As seen in the above KBA, only Outlook versions 2000 - 2003 Sp2 are affected. From Outlook 2007, This Vulnerability is not something you should worry about. May I know the version in use?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Re: Threat Prevention Microsoft Outlook VEVENT Vulnerability

Jump to solution

Thanks for replying.  We are running Outlook 2019, version 1808.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community