5 Replies Latest reply on Mar 17, 2010 2:31 PM by jguenrdc

    Common Standard Protection:Prevent common programs from running files from the Temp folder

      We are getting alot of the following alerts from VSE 8.5 'prevent common programs from running from temp folder'

       

      an example as follows 'C:\Documents and Settings\xxx.xxxx\Local Settings\Temp\Z@RB5.tmp'

       

      McAfee ePo 4.0 doesn't tell me what file type is being blocked as its a temporary file, is there a way of knowing what is being blocked and why??

       

      regards in advance,

       

      Michael

       

       

      Message was edited by: DSFC on 16/03/10 09:46:29 CDT
        • 1. Re: Common Standard Protection:Prevent common programs from running files from the Temp folder

          Those files are created/used by Adobe reader when you print PDF files from within IE.  I don't remember now whether we started getting those notices when Adobe released Reader version 9 or when McAfee released VSE version 8.7.

           

          Jay

          • 2. Re: Common Standard Protection:Prevent common programs from running files from the Temp folder

            Hi Jay,

             

            Thanks for the reply!

             

            I did a search with google last night before i got your post as i noticed the alerts were in the same format i.e.

             

            C:\Documents and Settings\xxx.xxx\Local Settings\Temp\Z@Rxxx.tmp

             

            I looked up z@Rxxx.tmp files and saw a forum relating these files with adobe reader.

             

            I have VSE 8.5i so imagine its adobe reader 9 causes these alerts. Why does VSE 8.5i insist on blocking them if theyre harmless? no update from Adobe / McAfee??

             

            michael

             

             

            Message was edited by: DSFC on 17/03/10 07:55:23 CDT

             

             

            Message was edited by: DSFC on 17/03/10 07:57:24 CDT
            • 3. Re: Common Standard Protection:Prevent common programs from running files from the Temp folder

              The access protection rule is "prevent common programs from running from temp folder", so apparently IE/Reader is creating the file and then trying to access it using permissions that include execute.  You can define processes to exclude from the rule, but in this case the process is IE, not Reader, and letting IE run programs in the temp folder is risky.  It would be nice if there was a way to exclude file names from access protection rules, not just processes.  Then you could exclude files like Z@R*.*.  I haven't had time to do any official dialog with McAfee (or Adobe) about this, I've just been ignoring the warnings.  However, we only have 3 or 4 people that generate these warnings, and even then it is only 5-10 warnings once or twice a week.

               

              Jay

              • 4. Re: Common Standard Protection:Prevent common programs from running files from the Temp folder

                What we propose to do is delete the records from the SQL database as we have over 300 alerts (over 3 days) it impairs our ability to check 'real' security threats.

                 

                I have recently started working in a Sixth form college (300+ users) and only just getting to grips with ePo 4.0 / VSE 8.5 and its okay for the most part. My real qualm is that you cant to my knowledge purge individual alerts or group of alerts using the web based interface (correct me if im wrong).

                 

                I just want ePo to be as streamlined as can be which to me atleast means scanning for threats in as short a time as possible.

                 

                again thanks for the reply

                • 5. Re: Common Standard Protection:Prevent common programs from running files from the Temp folder

                  I went from ProtectionPilot, which was a stripped-down version of ePO 2 (I think), directly to ePO 4.5.  In ePO 4.5, it looks like I can delete alerts from the web interface.  However, with ePO 4.5 (perhaps 4.0 also), there may be other tools to filter the events, etc.  Perhaps by creating custom reports.  I haven't had time to learn/study all the features of ePO 4.5 since we are a small company and I do other things in addition to my IT duties.

                   

                  Jay