cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 23

VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

     Last Friday I updated a Windows 7 Enterprise x64 system from VSE Patch 2 to Patch 4 and MA 4.6 to 4.8 P2 (stand alone, not managed by ePO).  Today when the user came in, they are receiving multiple warnings about counters.dat, which did not show up previously in the AccessProtectionLog.txt:

3/31/2014    12:44:57 PM    Would be blocked by Access Protection rule  (rule is currently not enforced)     domain\username    C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE    C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat    Common Standard Protection:Prevent common programs from running files from the Temp folder    Action blocked : Execute

The only search results turned up another recent discussion Can I exclude .dll files? at https://community.mcafee.com/message/325562#325562 .  This thread doesn't indicate which version of VSE and patch level they are using.  Other recent VSE 8.8 P4 threads indicated problems with BOF and older versions of IE, but we are using IE 10 on a x64 system that doesn't support BOF.  I'll try having the user clear their IE cache and rebooting to see if the errors continue.

22 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 23

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

Trying to speak to this from a VSE perspective, I can assure you the AP log entry is correct - that IExplore.exe is opening the "counters.dat" file with an AccessMask that includes "Execute" privilege. And since the file exists in a folder that matches the rule definition... **\Temp*... you get a hit. But the rule is only set to warn so nothing is actually blocked.

If you didn't see the same behavior with 8.8 Patch 2, it sounds like either -

- IExplore.exe's behavior changed, perhaps in its AccessMask

- the AP rule has changed, being recently enabled for example.

Otherwise, it makes as much sense to me as it does to you .

We have a tool that will give us deeper insight into the calculation/evaluation of the rule being violated; we could look into that (via McAfee Support) and we'd need a comparable data collection with 8.8 Patch 2, assuming Patch 2 really is behaving differently.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted
Level 9
Report Inappropriate Content
Message 3 of 23

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

I would also note......... I see this issue, only after upgrading to VSE 8.8 Patch 4. I currenlty have BOF Disabled, I still see it...We are in a mixed IE9 & IE11 Environment, Not sure yet if we see it on both. We are in the process of standardizing with IE11. As our IE11 Deployment is pretty much at the same time as the VSE 8.8 P4 Deployment. i would also note our IE Favorites are redirected to a network share, Not sure why this would have anything to do with it but who knows...

I do believe however, its an IE10 & IE11 issue as I believe they changed the index.dat situation....

I have not found a solution

Message was edited by: pwolfe on 4/21/14 6:07:15 PM GMT-08:00

Message was edited by: pwolfe on 4/22/14 8:10:01 AM GMT-08:00
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 23

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

We also observe thousands of events with counters.dat detected as run from TEMP by IE.

We consider this as false-positive, however it not possible to exclude .dat files, and excluding IE process is not a good idea.

Any solution?

Highlighted
Level 9
Report Inappropriate Content
Message 5 of 23

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

No solution yet

Still hundreds and thousands of events.....

Highlighted
Level 11
Report Inappropriate Content
Message 6 of 23

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

A year later and no solution? We updated to patch 4 this past Monday and we are getting lots of  these events as well. Nothing in patch 2, but everything in patch 4. Something changed in patch 4 to allow this. Did somebody open up an SR?

Highlighted

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

Hi All,

Did someone found a workaround for those alerts? At least did someone build a SQL query to delete those events from the database?

Highlighted
Level 7
Report Inappropriate Content
Message 8 of 23

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

*monday bump* No solution for this yet?

We see counters.dat events from both the "Common Standard Protection:Prevent common programs from running files from the Temp folder" and the "Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder". The first one increased a lot since upgrading to VSE patch 4.

Highlighted
Level 7
Report Inappropriate Content
Message 9 of 23

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

*bump*

Still no solution to this?  same issue appeared here on 8.8 patch 4

Highlighted

Re: VSE 8.8 P2 upgrade to P4 now causing alerts about running counters.dat

Bump,

Having exact same issue as described in this topic. Anyone found a solution?

McAfee support ignores my ticket?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community