Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
7372 Views 3 Replies Latest reply: May 16, 2013 4:58 AM by mvmthegreat RSS
rdefino Apprentice 69 posts since
Feb 6, 2009
Currently Being Moderated

Sep 13, 2010 4:09 PM

Could someone help understandard what's in this Access protection log

Would someone be able to help with this. I'm trying to figure out if something bad is happening here. the user says this happens everyday at 10am.

 

thanks

 

 

 

7/26/2010 8:13:23 AM Would be blocked by Access Protection rule  (rule is currently not enforced) GLOBAL\jwilkie C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Downloaded Program Files\SiebelAx_Desktop_Integration_18385.exe Common Maximum Protection:Prevent launching of files from the Downloaded Program Files folder Action blocked : Execute

7/26/2010 10:00:01 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM **\CSCRIPT.EXE C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

7/26/2010 10:00:02 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\temp\uap.vbs Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

7/26/2010 10:00:16 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

7/26/2010 10:00:16 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MGQHKHF5\ipcheck[1].htm Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

7/26/2010 10:00:18 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\temp\ipconfig.out Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

7/26/2010 10:04:49 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\90HKRLNM\password[1].htm Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

7/26/2010 10:04:53 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM **\CSCRIPT.EXE C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hello,

     

    The cited log informs you that some Access Protection rules were triggered, but they were only set to "notify only" and therefore nothing was actually blocked.

    An example for explanation:

     

    7/26/2010 8:13:23 AM - time when the Access Protection rule triggered

    Would be blocked by Access Protection rule  (rule is currently not enforced) - Message. Starting "Would be blocked" means rule has "notify" checkbox set. Starting "Blocked by" means the rule had "block" and "notify" checkboxes all set.

    GLOBAL\jwilkie - username in whose context the rule triggered

    C:\Program Files\Internet Explorer\iexplore.exe - the process that made an action that in turn triggered the rule

    C:\WINDOWS\Downloaded Program Files\SiebelAx_Desktop_Integration_18385.exe - the above process wanted to take action on this file

    Common Maximum Protection:Prevent launching of files from the Downloaded Program Files folder  - the rule name that triggered

    Action blocked : Execute - the action that was to be blocked (misleading in this case, not applicable now since the rule is to notify only).

     

    If your organization has ePolicy Orchestrator managing clients like this one, then please check the policy that applies to this client regarding Access Protection rules to see what is enabled and select also the "block" checkbox for the rule or deselect "notify" so a rule only triggers when it blocks as well.

     

    Attila

  • cliff620 Newcomer 20 posts since
    Apr 25, 2007

    Attila is absolutely right..

     

    you have these two rule set to Report in access protection and the workstation activity has triggered these rules

    Common Maximum Protection:Prevent launching of files from the Downloaded Program Files folder
    Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder

     

    If you were to set the rule to Block the activity would have been stopped.

     

     

    We typically don't Report anything that we don't block as well. However, when we determine we want to increase the protections - This is when we use the report feature.

     

    In addition, you may have noticed that little yellow i on the McAfee shield.. These report rules will cause that to appear.

     

    Cliff

     

     

    Message was edited by: cliff620 on 9/16/10 8:41:02 PM GMT-06:00
  • mvmthegreat Newcomer 1 posts since
    May 16, 2013

    i would like to say the system is infected coz nothing will take u directly to wscript.exe. i tried my self in finding the cause for virus. some jpg file named D657657T.jpg stayed in all drives in hidden mode and an file name winjpg.jpg created at system32 of the windos folder. i tried to eliminated them by using user defined detection and succeded but still virus there and i am unable to acess my hidden files.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points