cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

WScript.exe blocked from reading index.dat detections

Since late last week I began receiving detections like the one below from dozens of systems running VScan 8.7, Patch 2, running the ePO agent 4.0.0.1494, and being managed by ePO 3.6.1.255. I am the only person who manages ePO, and made no changes to the access protection settings, and don't understand how WScript.exe would even be related to the index.dat file since it only holds URL browsing information.  At first I assumed it was a false positive detection that would be resolved with a DAT the following day.  But a week later and I'm still getting buried with this detection.  I do not want to create an exclusion for WScript, or disable the setting until I know more about why this detection is being triggered.

Has anyone else seen/experienced similar detections over the past week, or have any idea why WScript would be trying to read the index.dat file?

12/29/2009 11:15:44 AM Would be blocked by Access Protection rule  (rule is currently not enforced)  C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\*****\Local Settings\Temporary Internet Files\Content.IE5\index.dat Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read
12/30/2009 11:17:14 AM Would be blocked by Access Protection rule  (rule is currently not enforced)  C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\*****\Local Settings\Temporary Internet Files\Content.IE5\index.dat Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read
12/31/2009 10:58:35 AM Would be blocked by Access Protection rule  (rule is currently not enforced)  C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\*****\Local Settings\Temporary Internet Files\Content.IE5\index.dat Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

5 Replies
Highlighted
Level 9
Report Inappropriate Content
Message 2 of 6

Re: WScript.exe blocked from reading index.dat detections

As you mention, the index keeps records of visited URLS etc. Perhaps somehow some entry triggers VirusScan. Would it make a difference when you remove thoose index files from one testpc and have it a go? I know it's not a real solution, but maybe it can help.

You can also send a sample to mcafee to have it tested for false positives.

Highlighted

Re: WScript.exe blocked from reading index.dat detections

To submit flase positives, follow KnowledgeBase article KB66642 -  How to submit files to McAfee Labs to be considered for false positive testing

HTH

Highlighted

Re: WScript.exe blocked from reading index.dat detections

Go to Access Protection  -> Common Standard Protection -> Prevent common programs from running file from the temp folder.

If this is checked, it is possible that AV is not allowing script to run, as from logs this script runs from temp folder.

please confirm if this is happening.

McAfee

Nikhil

Message was edited by: nikhilk on 1/2/10 12:55:35 PM CST
Highlighted
Level 12
Report Inappropriate Content
Message 5 of 6

Re: WScript.exe blocked from reading index.dat detections

This situation is very weird. I can't think of why wscript would be wanting to access the index.dat file.

I would find an affected pc, then run Sysinternals ProcessMonitor on it http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Create a filter with the process name of wscript

Then see what wscript is up to.

Highlighted

Re: WScript.exe blocked from reading index.dat detections

I checked the affected user's System Event Log files, and it would appear that the alerts began right our system admin's deployed approximately ten Windows Updates, one of which is the MS Mailicious Removal tool.  That specific update is my main suspect.  However, I was unable to duplicate the problem on my own system when installing all of the same updates.  I've asked our admin's to remove the Malicious Removal Tool from further updates, and have narrowed the number of affected systems to 35 users.  So, I'm continuing to collect as much information as I can.  Thanks for all the feedback!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community