5 Replies Latest reply: Mar 29, 2013 2:22 AM by Attila Polinger RSS

    Access Protection Rule Violation Detected And Not Blocked

    gandepas

       

       

      Hi,

       

      I work on Nitro SIEM and currently monitoring the ePO alerts logging to Nitro. Can some one please suggest how we can determine if a provided file path is genuine and ePO threat action can be ignored?

       

      Here is an event packet-

       

       

      SourceProcessName='C:\WINDOWS\System32\WScript.exe'  TargetFileName='C:\Documents and Settings\blosabia.TEA.027\Local Settings\Temporary Internet Files\Content.IE5\2YAXLZ5Z\desktop.ini'

       

      ThreatCategory='hip.file' ThreatSeverity='5' ThreatName='Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder' ThreatEventID='1095' ThreatType='access protection' ThreatActionTaken='would deny read' ThreatHandled='1' ProductFamily='VIRUSCAN' IPv6='::ffff:204.67.68.129' InTrustNetwork=''

       

      Others:


      SourceProcessName='C:\windows\system32\DllHost.exe'    TargetFileName='G:\DATACVS\ITS\JHaste\Win2K_OAG\Win2K_PharmNet-f001.vmdk' 

      SourceProcessName='C:\WINDOWS\system32\CCM\CcmExec.exe    TargetFileName='C:\Program Files\VMware\VMware Tools\VMwareUser.exe'

      SourceProcessName='C:\windows\SysWOW64\cscript.exe  TargetFileName='C:\Windows\Temp\inv733b_tmp\NIC_Broadcom\BComInv.vbs

      SourceProcessName='C:\windows\Explorer.EXE'    TargetFileName='G:\DATACVS\ITS\JHaste\Win2K_OAG\Win2K_PharmNet-f001.vmdk'

       

      When I researched about Wscript.exe some have stated it might be a virus.

      https://community.mcafee.com/thread/21390

       

      How do I determine from a packet like this- If its safe to let go the event?  I usually see the process name and path to figure out, please suggest if there is a better research process.

       

      Thanks!