We have ePO5.1 and VSE 8.8 Patch 4, Internet explorer 11, Windows 7 Professional 64-bit. Common Standard Protection:Prevent common programs from running files from the Temp folder is configured to just report of this events and now we have a lot of events, where Threat Source Process Name is IEXPLORE.EXE and Threat Target File Paths are:
..\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
..\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
..\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat
and so on
All of this files aren't executable, why this events are reported and how to prevent them?Message was edited by: artuha on 5/29/14 1:46:43 AM CDT
Moving to VirusScan for better attention.
I have the same issue with Anti-spyware Maximum Protection: Prevent execution of scripts from the Temp folder.
The threat source process is usually cscript.exe and the target is usually in a local settings or app data temp folder like History.IE5 or Content.IE5, or Cookies, and is reading a .dat file.
It sounds that those files are "cookies" (temp files created when surfing in the net) and they try to run when navigating for the websites and it will be trigged in AP. I wouldn not recommend to create an exclusion for IEXPLORER.exe as it can be a security risk.
You could open a case with McAfee, but I am sure they will say that product works as design.
You are right. Answer from McAfee support:
Access protection is doing, what it is designed for, however I am wondering Why Iexplorer.exe is trying to create SuggestedSites.dat and counters.dat in the temp location?
Then, you right you should open a case with Microsoft to get a clear picture why the files are being created in tmp folder..
First, if you don't want to see those events you can simply disable them in the server settings. I wouldn't recommend doing that though. If you and your team know those particular files are not legitimate you could create a new On Demand Scan that looks for those files and deletes them.
Just throwing some ideas out there.
just to confitm that also in the installation i administer we have more than 100,000 events like this per day on a base of about 1000 mcafee agents: annoying or even makes this reporting not useful...