cancel
Showing results for 
Search instead for 
Did you mean: 
wallace1819
Level 7

file:///<SYSTEM>

Howdy,

We are in the process of implamenting the Access Protection rules in HIPS. As we work through adding exclusions for our environment I see a number of alerts where the source is <SYSTEM> and file:///<SYSTEM>.

Threat Source User Name:

NT AUTHORITY\SYSTEM
Threat Source Process Name:<SYSTEM>
Threat Source URL:file:///<SYSTEM>

The most common rules triggering are:

Access Protection - Prevent modification of McAfee files and settings

Access Protection - Prevent programs registering to autorun

Access Protection - Protect network settings

After looking into the alerts, they appear to be ligitamate setting changes that we need to exclude.

What causes this vague source description?

I understand "NT AUTHORITY\SYSTEM", but I'm a little reluctant to create exclusions based on <SYSTEM> and/or file:///<SYSTEM> without understanding what this means.

The systems involved are using the following:

Agent:

4.8.0.1500

VirusScan Enterprise:

8.8.0.1247

Host Intrusion Prevention):

8.0.0.2919

SiteAdvisor Enterprise Plus:

3.5.0.1121


Thanks,

Jason

0 Kudos