We are getting ready to Block on the VSE rule "Anti-spyware Maximum Protection: Prevent execution of scripts from the Temp folder". I am now only Reporting on this rule and see numerous c:\Windows\Temp\mfe*.tmp files as the Threat Target Path in the Event query. What is producing these files and what will happen when I set the Prevent execuction of scripts from the Temp folder rule to Block?
Is there a little more data you can share about these mfe*.tmp files?
Can you open them in a text editor and determine what they are?
Does the file size vary or is it the same size consistently?
Is there a pattern to the file creation date? e.g. every hour, which might map up against your policy enforcement interval
They must delete at some point after they are run because the files are no longer there. I did notice the time of the file coincided with with scheduled time for our daily DAT update.
I wouldn't be concerned then with temp files/folders that disappear on their own.
The update process does make use of temporary folders in order to create the new DAT files and copy them into place.