1 Reply Latest reply: May 10, 2013 2:53 AM by Attila Polinger RSS

    Common Standard Protection:Prevent common programs from running files from the Temp folder

    dans

      Someone save me from the noise!!

      It's McAfee Prevent common programs from running files from the Temp folder

       

      Hundreds, thousands, if not more. All related to pdf files in the temp folder is my guess? Each time the Z@******.tmp name changes with each pdf download.

      C:\Users\<username>\AppData\Local\Temp\Low\Z@R82F8.tmp

       

       

      This is just a warning alert, it's not actually blocking. What have other users settled on as a happy medium? In the past 6 months I don't recall ever responding to a "Prevent common programs from running files from the temp folder" event alert, so is it time to stop reporting this event? In a dream world that McAfee lives in, am I suppose to give enough brain cycles to this alert and all the machines it occurs on and respond accordingly each time it happens? I don't believe it helps in forensics reporting either, or in working backwards though an incident. Has anyone ever made use of this event? If yes, please divulge what I'm missing.

        • 1. Re: Common Standard Protection:Prevent common programs from running files from the Temp folder
          Attila Polinger

          Hello,

           

          I suggest you make a query of events like this and see what process is initiating the triggering of this event type. Is it a single process or are there many processes? What is that process? That could be a good starting point to decide whether that process is legitim or not.

           

          (my standpoint regarding notify only and this particular rule is that there is no use to use notify-only rules (other than on testing or investigation purpose) and this particular rule might not need to be enabled at all - Temp folder must be used somehow by programs - except if you undertake the task of putting exclusions to this rule's list thereby separating legitim use from illegitim use.)

           

          Attila