I will try to explain the issue in basic terms so there are no confusions
User: Zorro logs on multiple systems and the user profiles are saved at %SYSTEMROOT%\CSC folder
7/1/15 - User-defined rule was put in place to block crypto_notes.txt (example) and the system did get the policy (verified)
7/5/15 User logged on system 1234 the last time(verified) - The system was NOT shutdown
7/30/15 - We get an Access Protection Rule violation alert coming from %SYTEMROOT%\CSC\USERS\Zorro\*\*\crypto_notes.txt
My confusion is:
The user has not logged on in over 3 weeks; how can we get an access protection alert now?
We have had On-demand scan running on this system twice daily for all local drives also. ODS did not pick up the user defined rule.
Can someone assist in solving this mystery? Thank you in advance.
A user doesn't have to log on for their credentials to be used. An intelligent piece of malware can obtain someone's credentials and then use them at its leisure.
You should not expect ODS running twice daily to know about User defined AP rules. They are completely separate features.
Maybe you were expecting the ODS to find this crypto_notes.txt file? That warrants a lot of follow up questions best left between you and a support person, if it's something you'd like to work through.
Here is what i have determined so far:
With that being said.....
What is being triggered on the machine that is causing an alert after 3 weeks: a potential malware that McAfee does not have signature for.
What is being triggered on the machine that is causing an alert after 3 weeks: a potential malware that McAfee does not have signature for
Yes, that's a possibility.
You should look at the timestamp of the event, i.e. when was the event created (rather than when was the event received).
That will tell you if you're looking more at a potential threat using someone's credentials, or if it's an old event that finally reached you.