5 Replies Latest reply: Mar 29, 2013 2:22 AM by Attila Polinger RSS

    Access Protection Rule Violation Detected And Not Blocked






      I work on Nitro SIEM and currently monitoring the ePO alerts logging to Nitro. Can some one please suggest how we can determine if a provided file path is genuine and ePO threat action can be ignored?


      Here is an event packet-



      SourceProcessName='C:\WINDOWS\System32\WScript.exe'  TargetFileName='C:\Documents and Settings\blosabia.TEA.027\Local Settings\Temporary Internet Files\Content.IE5\2YAXLZ5Z\desktop.ini'


      ThreatCategory='hip.file' ThreatSeverity='5' ThreatName='Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder' ThreatEventID='1095' ThreatType='access protection' ThreatActionTaken='would deny read' ThreatHandled='1' ProductFamily='VIRUSCAN' IPv6='::ffff:' InTrustNetwork=''



      SourceProcessName='C:\windows\system32\DllHost.exe'    TargetFileName='G:\DATACVS\ITS\JHaste\Win2K_OAG\Win2K_PharmNet-f001.vmdk' 

      SourceProcessName='C:\WINDOWS\system32\CCM\CcmExec.exe    TargetFileName='C:\Program Files\VMware\VMware Tools\VMwareUser.exe'

      SourceProcessName='C:\windows\SysWOW64\cscript.exe  TargetFileName='C:\Windows\Temp\inv733b_tmp\NIC_Broadcom\BComInv.vbs

      SourceProcessName='C:\windows\Explorer.EXE'    TargetFileName='G:\DATACVS\ITS\JHaste\Win2K_OAG\Win2K_PharmNet-f001.vmdk'


      When I researched about Wscript.exe some have stated it might be a virus.



      How do I determine from a packet like this- If its safe to let go the event?  I usually see the process name and path to figure out, please suggest if there is a better research process.