We are in the process of implamenting the Access Protection rules in HIPS. As we work through adding exclusions for our environment I see a number of alerts where the source is <SYSTEM> and file:///<SYSTEM>.
Threat Source User Name:
|Threat Source Process Name:||<SYSTEM>|
|Threat Source URL:||file:///<SYSTEM>|
The most common rules triggering are:
Access Protection - Prevent modification of McAfee files and settings
Access Protection - Prevent programs registering to autorun
Access Protection - Protect network settings
After looking into the alerts, they appear to be ligitamate setting changes that we need to exclude.
What causes this vague source description?
I understand "NT AUTHORITY\SYSTEM", but I'm a little reluctant to create exclusions based on <SYSTEM> and/or file:///<SYSTEM> without understanding what this means.
The systems involved are using the following:
Host Intrusion Prevention):
SiteAdvisor Enterprise Plus: