Looking at my HIPS logs, I came across this signature below, according to Mcafee's description its IE trying to read outlook .ost file which can indicate that the browser may be compromised. Has anyone else come across this or know this may be a fp? How should I go about investigating this further? BTW, threat name is 2600 but googling it returns no information.
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE running with the privileges of user: N/A on the system with Agent whatever attempted to open file/directory D:\documents and settings\user name\Local Settings\Application Data\Microsoft\Outlook\outlook.ost in order to:
- change read-only/hidden attributes
General Signature Description(Refer to KB article 51504 for details about supported platforms.) This event indicates an attempt to read an email file type by Internet Explorer. In most configurations the browser should not access files of this type directly, and such an operation might suggest that the browser is compromised and that an attacker is attempting to use the browser to read private information from the machine running the browser.
The event will trigger each time the browser attempts to open a file whose type is known to be used by Microsoft Outlook. These types include single email files, address book files and personal folder files.
It is possible to use the browser to explore the content of the system hard drive and it is possible that in doing so, the user will instruct the browser to open email files in a legitimate way.
The recommended best practice to avoid this type of false positive is to use the web browser only to access web sites and to use Windows Explorer to browse the system hard drive.
If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base. https://kc.mcafee.com/corporate/index?page=content&id=KB67561
Executable file description
D:\documents and settings\user name\Local Settings\Application Data\Microsoft\Outlook\outlook.ost
In Trusted Network
Subject Distinguished Name
CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Subject Organization Name
The only info I have on it is that is is for "IE Envelope - Mail Files Access".