12-09-2004 02:00 PM - edited 03-09-2019 09:43 AM
OK, my client is using Patchlink to roll out patches. The patches seem to be downloaded to C:\windows\temp\XXXXX.XXX
The trojan detection rule kicks off the following every time:
The program 'C:\WINDOWS\Temp\IE6.0sp1-KB889293-Windows-2000-XP-x86-ENU.exe' was recently downloaded and attempted to execute. The user was queried whether to allow this operation. The user chose 'Terminate'
This happens at night so users choosing yes is not an option. I have created every kind of application class rule I can think of and even used the wizard to put the exact file name and path into the application set to be excluded. No luck at all and I still get the same message every time. It seems to be ignoring the exclusion completely.
Any ideas?
12-10-2004 02:13 PM
Hi,
FYI,
If you see a message similar to this:
The program 'C:\Program <file:///C:/Program>
Files\CA\Common\ScanEngine\Incoming\iv_nt86.exe' was recently downloaded
and attempted to execute. The user was queried whether to allow this
operation. The user chose 'Terminate (as default)'
and you want to exclude the application that did the downloading from the Trojan Detection Rule, there are some steps you must do.
The exclusion in the Trojan Detection rule is for the application that actually did the downloading - NOT the actual downloaded file. The message says that iv_nt86.exe was recently downloaded. Therefore, the
file that was downloaded is iv_nt86.exe. We do not know what actually did the downloading in this instance most likely because the process was
terminated before we could find out. To find out which application did the downloading, set up a File Monitor Rule where the application class is "all applications" that attempt to "read and write" the file
"iv_nt86.exe" (no quotes around these values). Then once this file is
accessed, you will see in the event log which application is doing the downloading of the file. Then exclude that application that downloaded iv_nt86.exe in the Trojan Detection Rule.
Thanks
Nadeem
12-10-2004 04:44 PM
Thanks, I had got it. I thought that I had already gotten the culprit downloader (gravitx.exe) in that rule but I got app classes confused.
What was weird to me is the fact that the event wizard was able to generate a completely useless rule. Kinda threw me off.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide