0 Replies Latest reply: Mar 26, 2014 8:45 AM by wallace1819 RSS

    file:///<SYSTEM>

    wallace1819

      Howdy,

       

      We are in the process of implamenting the Access Protection rules in HIPS. As we work through adding exclusions for our environment I see a number of alerts where the source is <SYSTEM> and file:///<SYSTEM>.

       

      Threat Source User Name:

      NT AUTHORITY\SYSTEM
      Threat Source Process Name:<SYSTEM>
      Threat Source URL:file:///<SYSTEM>

       

       

      The most common rules triggering are:

       

      Access Protection - Prevent modification of McAfee files and settings

      Access Protection - Prevent programs registering to autorun

      Access Protection - Protect network settings

       

       

      After looking into the alerts, they appear to be ligitamate setting changes that we need to exclude.

       

      What causes this vague source description?

       

      I understand "NT AUTHORITY\SYSTEM", but I'm a little reluctant to create exclusions based on <SYSTEM> and/or file:///<SYSTEM> without understanding what this means.

       

      The systems involved are using the following:

      Agent:

      4.8.0.1500

      VirusScan Enterprise:

      8.8.0.1247

      Host Intrusion Prevention):

      8.0.0.2919

      SiteAdvisor Enterprise Plus:

      3.5.0.1121


       

      Thanks,

      Jason