09-08-2009 06:37 AM - edited 03-10-2019 04:45 AM
To start off, I have roughly 1300 hosts running CSA 5.2. Recently I have start to see a lot of the following events.
The process 'C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE' (as user xxxx) attempted to access 'C:\Documents and Settings\xxxx\Local Settings\Temporary Internet Files\Content.MSO\5FFD11C6.com'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
If I look at the alert details I see the following.
wwlib!_GetAllocCounters@0+0x11ed14
wwlib!_GetAllocCounters@0+0x11e368
wwlib!FMain+0x119f9f
wwlib!DllGetClassObject+0x1ee058
wwlib!_GetAllocCounters@0+0x11e2ea
wwlib!FMain+0x1bd33a
wwlib!FMain+0x1bd2b1
mso!_MsoDwWhichMessengerRunningEx@0+0x2012e
mso!_MsoHpalSelect@8+0x624b0
mso!_MsoDwWhichMessengerRunningEx@0+0x3eca
mso!_MsoDwWhichMessengerRunningEx@0+0x3f93
mso!_MsoGetTextExtentExPointW@28+0x4bab
mso!_MsoGetTextExtentExPointW@28+0x4cda
mso!_MsoDwWhichMessengerRunningEx@0+0xd8ff
mso!_MsoCpCchSzLenFromWz@8+0x2edd
mso!_MsoSendMessage@16+0x37e8
mso!_MsoSendMessage@16+0x3906
mso!_MsoSendMessage@16+0x456e
mso!_MsoCompareStringW@24+0x148d
csauser+0x77b6
kernel32!CreateFileW+0x1b6
ntdll!ZwCreateFile+0xc
ntdll!KiFastSystemCallRet
Is there a way to tell from the above details if this is malicious or if something (possibly Outlook) changed which is causing these sudden spike in events?
TIA
09-08-2009 11:35 AM
When opening the message, CSA queries the user with something similar to:
"Warning - The process C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE is attempting to modify a potentially dangerous file"" C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.MSO\E6E9956.com"
CSA asks the question for every embedded object and if they click' yes', they can see the pictures. If they click no, the pictures will not display and all they see is the text.
It has to do with the way Outlook handles these objects and what CSA sees Outlook doing.
The only current workaround to prevent these queries is to configure Outlook email security settings to read all email in plain text (or make an exception in CSA).
There are security risks reading email in HTML mode with embedded objects that come from external sources.
The objects can reside on external servers or contain links and scripts that may not be desirable.
Microsoft changed the way Outlook 2007 renders HTML by using Word instead the browser.
This provides enhanced security but CSA still sees it as suspicious because of the way it processes the objects.
I had a bunch of these when we migrated to Outlook 2007. I created an exception for that file pattern.
Tom
09-15-2009 12:05 PM
So I've been trying to repeat the above activity to see if it would generate similar alerts. If I open the email which was triggering the alerts originally, it still triggers the same alert. However, if I compose an email and embed multiple images, CSA does not trigger any alerts while opening the email.
Should this alert on all images/objects? certain file extensions? Any more information on this would be great.
Thanks
09-15-2009 03:08 PM
It doesn't do it on all messages for us, just certain ones from outside our organization.
It was an html message with embedded pictures and tables.
Tom
09-18-2009 11:51 AM
I did some more digging and these are actually .gif files.
Try renaming one of them from .com to .gif and it should open in Windows Picture and Fax viewer.
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide