Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
357 Views 1 Reply Latest reply: Sep 12, 2013 3:30 PM by greatscott RSS
rebel2 Newcomer 1 posts since
Sep 12, 2013
Currently Being Moderated

Sep 12, 2013 12:05 PM

Can anyone shed some light on this HIPS alert? I searched through the forums but couldn't find anything.

Looking at my HIPS logs, I came across this signature below, according to Mcafee's description its IE trying to read outlook .ost file which can indicate that the browser may be compromised. Has anyone else come across this or know this may be a fp? How should I go about investigating this further? BTW, threat name is 2600 but googling it returns no information.

 

Event Description

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE running with the privileges of user: N/A on the system with Agent whatever attempted to open file/directory D:\documents and settings\user name\Local Settings\Application Data\Microsoft\Outlook\outlook.ost in order to:

  • read
  • write
  • change read-only/hidden attributes

General Signature Description

(Refer to KB article 51504 for details about supported platforms.) This event indicates an attempt to read an email file type by Internet Explorer. In most configurations the browser should not access files of this type directly, and such an operation might suggest that the browser is compromised and that an attacker is attempting to use the browser to read private information from the machine running the browser.

The event will trigger each time the browser attempts to open a file whose type is known to be used by Microsoft Outlook. These types include single email files, address book files and personal folder files.

It is possible to use the browser to explore the content of the system hard drive and it is possible that in doing so, the user will instruct the browser to open email files in a legitimate way.

The recommended best practice to avoid this type of false positive is to use the web browser only to access web sites and to use Windows Explorer to browse the system hard drive.
If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base. https://kc.mcafee.com/corporate/index?page=content&id=KB67561

 

 

 

 

Drive Type

HardDrive

ePO Reachable

True

Executable file description

INTERNET EXPLORER

Executable fingerprint

b60dddd2d63ce41cb8c487fcfbb6419e

Files

D:\documents and settings\user name\Local Settings\Application Data\Microsoft\Outlook\outlook.ost

In Trusted Network

Unknown

Subject Distinguished Name

CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

Subject Organization Name

MICROSOFT CORPORATION

Workstation Name

000-1233

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points