1 Reply Latest reply: Sep 12, 2013 3:30 PM by greatscott RSS

    Can anyone shed some light on this HIPS alert? I searched through the forums but couldn't find anything.

    rebel2

      Looking at my HIPS logs, I came across this signature below, according to Mcafee's description its IE trying to read outlook .ost file which can indicate that the browser may be compromised. Has anyone else come across this or know this may be a fp? How should I go about investigating this further? BTW, threat name is 2600 but googling it returns no information.

       

      Event Description

      C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE running with the privileges of user: N/A on the system with Agent whatever attempted to open file/directory D:\documents and settings\user name\Local Settings\Application Data\Microsoft\Outlook\outlook.ost in order to:

      • read
      • write
      • change read-only/hidden attributes

      General Signature Description

      (Refer to KB article 51504 for details about supported platforms.) This event indicates an attempt to read an email file type by Internet Explorer. In most configurations the browser should not access files of this type directly, and such an operation might suggest that the browser is compromised and that an attacker is attempting to use the browser to read private information from the machine running the browser.

      The event will trigger each time the browser attempts to open a file whose type is known to be used by Microsoft Outlook. These types include single email files, address book files and personal folder files.

      It is possible to use the browser to explore the content of the system hard drive and it is possible that in doing so, the user will instruct the browser to open email files in a legitimate way.

      The recommended best practice to avoid this type of false positive is to use the web browser only to access web sites and to use Windows Explorer to browse the system hard drive.
      If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base. https://kc.mcafee.com/corporate/index?page=content&id=KB67561

       

       

       

       

      Drive Type

      HardDrive

      ePO Reachable

      True

      Executable file description

      INTERNET EXPLORER

      Executable fingerprint

      b60dddd2d63ce41cb8c487fcfbb6419e

      Files

      D:\documents and settings\user name\Local Settings\Application Data\Microsoft\Outlook\outlook.ost

      In Trusted Network

      Unknown

      Subject Distinguished Name

      CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

      Subject Organization Name

      MICROSOFT CORPORATION

      Workstation Name

      000-1233