3 Replies Latest reply on Aug 7, 2015 1:26 PM by wwarren

    User-defined rule being triggered weeks after it was created

    zulu_baba

      Hello,

       

      I will try to explain the issue in basic terms so there are no confusions

       

      User: Zorro logs on multiple systems and the user profiles are saved at %SYSTEMROOT%\CSC folder

      7/1/15 - User-defined rule was put in place to block crypto_notes.txt (example) and the system did get the policy (verified)

      7/5/15 User logged on system 1234 the last time(verified) - The system was NOT shutdown

      7/30/15 - We get an Access Protection Rule violation alert coming from %SYTEMROOT%\CSC\USERS\Zorro\*\*\crypto_notes.txt

       

      My confusion is:

      The user has not logged on in over 3 weeks; how can we get an access protection alert now?

      We have had On-demand scan running on this system twice daily for all local drives also. ODS did not pick up the user defined rule.

       

      Can someone assist in solving this mystery? Thank you in advance.

       

      VSE 8.8

      5700

      Patch 4

      DAT 7884

        • 1. Re: User-defined rule being triggered weeks after it was created
          wwarren

          A user doesn't have to log on for their credentials to be used. An intelligent piece of malware can obtain someone's credentials and then use them at its leisure.

           

          • Access Protection is going to generate an event when it sees the violation occurring, so you can infer that this User logged in (or something with their credentials did).
          • The other scenario that comes to mind is if an event was generated long ago (when the User had been logged in) but the event was not uploaded until recently (an agent-to-server communication problem). The date/timestamp on the event itself would tell you if it's recent, or if it's old and only now made its way to the server.

           

          You should not expect ODS running twice daily to know about User defined AP rules. They are completely separate features.

          Maybe you were expecting the ODS to find this crypto_notes.txt file?  That warrants a lot of follow up questions best left between you and a support person, if it's something you'd like to work through.

          • 2. Re: User-defined rule being triggered weeks after it was created
            zulu_baba

            Thank you wwarren for your explanation.

             

            Here is what i have determined so far:

             

            • The blocked rule was put under Access Protection rule and not under PUP
            • Upon researching further I learned that ODS does not pick up any Access Protection rules; ODS only picks up malware to which McAfee has signatures for and any PUPs - Same goes for OAS

             

            With that being said.....

            What is being triggered on the machine that is causing an alert after 3 weeks: a potential malware that McAfee does not have signature for.

            • 3. Re: User-defined rule being triggered weeks after it was created
              wwarren
              What is being triggered on the machine that is causing an alert after 3 weeks: a potential malware that McAfee does not have signature for

              Yes, that's a possibility.

              You should look at the timestamp of the event, i.e. when was the event created (rather than when was the event received).

               

              That will tell you if you're looking more at a potential threat using someone's credentials, or if it's an old event that finally reached you.