CSA Content.MSO .com Alerts Suddenly Loud

Unanswered Question
Sep 8th, 2009

To start off, I have roughly 1300 hosts running CSA 5.2. Recently I have start to see a lot of the following events.

The process 'C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE' (as user xxxx) attempted to access 'C:\Documents and Settings\xxxx\Local Settings\Temporary Internet Files\Content.MSO\5FFD11C6.com'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.

If I look at the alert details I see the following.

[email protected]+0x11ed14

[email protected]+0x11e368



[email protected]+0x11e2ea



[email protected]+0x2012e

[email protected]+0x624b0

[email protected]+0x3eca

[email protected]+0x3f93

[email protected]+0x4bab

[email protected]+0x4cda

[email protected]+0xd8ff

[email protected]+0x2edd

[email protected]+0x37e8

[email protected]+0x3906

[email protected]+0x456e

[email protected]+0x148d





Is there a way to tell from the above details if this is malicious or if something (possibly Outlook) changed which is causing these sudden spike in events?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Tue, 09/08/2009 - 11:35

When opening the message, CSA queries the user with something similar to:

"Warning - The process C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE is attempting to modify a potentially dangerous file"" C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.MSO\E6E9956.com"

CSA asks the question for every embedded object and if they click' yes', they can see the pictures. If they click no, the pictures will not display and all they see is the text.

It has to do with the way Outlook handles these objects and what CSA sees Outlook doing.

The only current workaround to prevent these queries is to configure Outlook email security settings to read all email in plain text (or make an exception in CSA).

There are security risks reading email in HTML mode with embedded objects that come from external sources.

The objects can reside on external servers or contain links and scripts that may not be desirable.

Microsoft changed the way Outlook 2007 renders HTML by using Word instead the browser.

This provides enhanced security but CSA still sees it as suspicious because of the way it processes the objects.

I had a bunch of these when we migrated to Outlook 2007. I created an exception for that file pattern.


Solutionary Tue, 09/15/2009 - 12:05

So I've been trying to repeat the above activity to see if it would generate similar alerts. If I open the email which was triggering the alerts originally, it still triggers the same alert. However, if I compose an email and embed multiple images, CSA does not trigger any alerts while opening the email.

Should this alert on all images/objects? certain file extensions? Any more information on this would be great.


tsteger1 Tue, 09/15/2009 - 15:08

It doesn't do it on all messages for us, just certain ones from outside our organization.

It was an html message with embedded pictures and tables.


tsteger1 Fri, 09/18/2009 - 11:51

I did some more digging and these are actually .gif files.

Try renaming one of them from .com to .gif and it should open in Windows Picture and Fax viewer.



This Discussion