Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
354 Views 1 Reply Latest reply: Sep 12, 2013 3:30 PM by greatscott RSS
rebel2 Newcomer 1 posts since
Sep 12, 2013
Currently Being Moderated

Sep 12, 2013 12:05 PM

Can anyone shed some light on this HIPS alert? I searched through the forums but couldn't find anything.

Looking at my HIPS logs, I came across this signature below, according to Mcafee's description its IE trying to read outlook .ost file which can indicate that the browser may be compromised. Has anyone else come across this or know this may be a fp? How should I go about investigating this further? BTW, threat name is 2600 but googling it returns no information.


Event Description

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE running with the privileges of user: N/A on the system with Agent whatever attempted to open file/directory D:\documents and settings\user name\Local Settings\Application Data\Microsoft\Outlook\outlook.ost in order to:

  • read
  • write
  • change read-only/hidden attributes

General Signature Description

(Refer to KB article 51504 for details about supported platforms.) This event indicates an attempt to read an email file type by Internet Explorer. In most configurations the browser should not access files of this type directly, and such an operation might suggest that the browser is compromised and that an attacker is attempting to use the browser to read private information from the machine running the browser.

The event will trigger each time the browser attempts to open a file whose type is known to be used by Microsoft Outlook. These types include single email files, address book files and personal folder files.

It is possible to use the browser to explore the content of the system hard drive and it is possible that in doing so, the user will instruct the browser to open email files in a legitimate way.

The recommended best practice to avoid this type of false positive is to use the web browser only to access web sites and to use Windows Explorer to browse the system hard drive.
If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base.





Drive Type


ePO Reachable


Executable file description


Executable fingerprint



D:\documents and settings\user name\Local Settings\Application Data\Microsoft\Outlook\outlook.ost

In Trusted Network


Subject Distinguished Name


Subject Organization Name


Workstation Name


More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points