3 Replies Latest reply: May 16, 2013 4:58 AM by mvmthegreat RSS

    Could someone help understandard what's in this Access protection log

    rdefino

      Would someone be able to help with this. I'm trying to figure out if something bad is happening here. the user says this happens everyday at 10am.

       

      thanks

       

       

       

      7/26/2010 8:13:23 AM Would be blocked by Access Protection rule  (rule is currently not enforced) GLOBAL\jwilkie C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Downloaded Program Files\SiebelAx_Desktop_Integration_18385.exe Common Maximum Protection:Prevent launching of files from the Downloaded Program Files folder Action blocked : Execute

      7/26/2010 10:00:01 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM **\CSCRIPT.EXE C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

      7/26/2010 10:00:02 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\temp\uap.vbs Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

      7/26/2010 10:00:16 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

      7/26/2010 10:00:16 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MGQHKHF5\ipcheck[1].htm Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

      7/26/2010 10:00:18 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\temp\ipconfig.out Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

      7/26/2010 10:04:49 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cscript.exe C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\90HKRLNM\password[1].htm Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder Action blocked : Read

      7/26/2010 10:04:53 AM Would be blocked by Access Protection rule  (rule is currently not enforced) NT AUTHORITY\SYSTEM **\CSCRIPT.EXE C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content

        • 1. Re: Could someone help understandard what's in this Access protection log
          Attila Polinger

          Hello,

           

          The cited log informs you that some Access Protection rules were triggered, but they were only set to "notify only" and therefore nothing was actually blocked.

          An example for explanation:

           

          7/26/2010 8:13:23 AM - time when the Access Protection rule triggered

          Would be blocked by Access Protection rule  (rule is currently not enforced) - Message. Starting "Would be blocked" means rule has "notify" checkbox set. Starting "Blocked by" means the rule had "block" and "notify" checkboxes all set.

          GLOBAL\jwilkie - username in whose context the rule triggered

          C:\Program Files\Internet Explorer\iexplore.exe - the process that made an action that in turn triggered the rule

          C:\WINDOWS\Downloaded Program Files\SiebelAx_Desktop_Integration_18385.exe - the above process wanted to take action on this file

          Common Maximum Protection:Prevent launching of files from the Downloaded Program Files folder  - the rule name that triggered

          Action blocked : Execute - the action that was to be blocked (misleading in this case, not applicable now since the rule is to notify only).

           

          If your organization has ePolicy Orchestrator managing clients like this one, then please check the policy that applies to this client regarding Access Protection rules to see what is enabled and select also the "block" checkbox for the rule or deselect "notify" so a rule only triggers when it blocks as well.

           

          Attila

          • 2. Re: Could someone help understandard what's in this Access protection log
            cliff620

            Attila is absolutely right..

             

            you have these two rule set to Report in access protection and the workstation activity has triggered these rules

            Common Maximum Protection:Prevent launching of files from the Downloaded Program Files folder
            Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder

             

            If you were to set the rule to Block the activity would have been stopped.

             

             

            We typically don't Report anything that we don't block as well. However, when we determine we want to increase the protections - This is when we use the report feature.

             

            In addition, you may have noticed that little yellow i on the McAfee shield.. These report rules will cause that to appear.

             

            Cliff

             

             

            Message was edited by: cliff620 on 9/16/10 8:41:02 PM GMT-06:00
            • 3. Re: Could someone help understandard what's in this Access protection log
              mvmthegreat

              i would like to say the system is infected coz nothing will take u directly to wscript.exe. i tried my self in finding the cause for virus. some jpg file named D657657T.jpg stayed in all drives in hidden mode and an file name winjpg.jpg created at system32 of the windos folder. i tried to eliminated them by using user defined detection and succeded but still virus there and i am unable to acess my hidden files.