cancel
Showing results for 
Search instead for 
Did you mean: 

file:///<SYSTEM>

Howdy,

We are in the process of implamenting the Access Protection rules in HIPS. As we work through adding exclusions for our environment I see a number of alerts where the source is <SYSTEM> and file:///<SYSTEM>.

Threat Source User Name:

NT AUTHORITY\SYSTEM
Threat Source Process Name:<SYSTEM>
Threat Source URL:file:///<SYSTEM>

The most common rules triggering are:

Access Protection - Prevent modification of McAfee files and settings

Access Protection - Prevent programs registering to autorun

Access Protection - Protect network settings

After looking into the alerts, they appear to be ligitamate setting changes that we need to exclude.

What causes this vague source description?

I understand "NT AUTHORITY\SYSTEM", but I'm a little reluctant to create exclusions based on <SYSTEM> and/or file:///<SYSTEM> without understanding what this means.

The systems involved are using the following:

Agent:

4.8.0.1500

VirusScan Enterprise:

8.8.0.1247

Host Intrusion Prevention):

8.0.0.2919

SiteAdvisor Enterprise Plus:

3.5.0.1121


Thanks,

Jason

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center