CSA Content.MSO .com Alerts Suddenly Loud

Solutionary · ‎09-08-2009

To start off, I have roughly 1300 hosts running CSA 5.2. Recently I have start to see a lot of the following events.

The process 'C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE' (as user xxxx) attempted to access 'C:\Documents and Settings\xxxx\Local Settings\Temporary Internet Files\Content.MSO\5FFD11C6.com'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.

If I look at the alert details I see the following.

wwlib!_GetAllocCounters@0+0x11ed14

wwlib!_GetAllocCounters@0+0x11e368

wwlib!FMain+0x119f9f

wwlib!DllGetClassObject+0x1ee058

wwlib!_GetAllocCounters@0+0x11e2ea

wwlib!FMain+0x1bd33a

wwlib!FMain+0x1bd2b1

mso!_MsoDwWhichMessengerRunningEx@0+0x2012e

mso!_MsoHpalSelect@8+0x624b0

mso!_MsoDwWhichMessengerRunningEx@0+0x3eca

mso!_MsoDwWhichMessengerRunningEx@0+0x3f93

mso!_MsoGetTextExtentExPointW@28+0x4bab

mso!_MsoGetTextExtentExPointW@28+0x4cda

mso!_MsoDwWhichMessengerRunningEx@0+0xd8ff

mso!_MsoCpCchSzLenFromWz@8+0x2edd

mso!_MsoSendMessage@16+0x37e8

mso!_MsoSendMessage@16+0x3906

mso!_MsoSendMessage@16+0x456e

mso!_MsoCompareStringW@24+0x148d

csauser+0x77b6

kernel32!CreateFileW+0x1b6

ntdll!ZwCreateFile+0xc

ntdll!KiFastSystemCallRet

Is there a way to tell from the above details if this is malicious or if something (possibly Outlook) changed which is causing these sudden spike in events?

TIA

tsteger1 · ‎09-08-2009

When opening the message, CSA queries the user with something similar to:

"Warning - The process C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE is attempting to modify a potentially dangerous file"" C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.MSO\E6E9956.com"

CSA asks the question for every embedded object and if they click' yes', they can see the pictures. If they click no, the pictures will not display and all they see is the text.

It has to do with the way Outlook handles these objects and what CSA sees Outlook doing.

The only current workaround to prevent these queries is to configure Outlook email security settings to read all email in plain text (or make an exception in CSA).

There are security risks reading email in HTML mode with embedded objects that come from external sources.

The objects can reside on external servers or contain links and scripts that may not be desirable.

Microsoft changed the way Outlook 2007 renders HTML by using Word instead the browser.

This provides enhanced security but CSA still sees it as suspicious because of the way it processes the objects.

I had a bunch of these when we migrated to Outlook 2007. I created an exception for that file pattern.

Tom

Solutionary · ‎09-15-2009

So I've been trying to repeat the above activity to see if it would generate similar alerts. If I open the email which was triggering the alerts originally, it still triggers the same alert. However, if I compose an email and embed multiple images, CSA does not trigger any alerts while opening the email.

Should this alert on all images/objects? certain file extensions? Any more information on this would be great.

Thanks

tsteger1 · ‎09-15-2009

It doesn't do it on all messages for us, just certain ones from outside our organization.

It was an html message with embedded pictures and tables.

Tom

tsteger1 · ‎09-18-2009

I did some more digging and these are actually .gif files.

Try renaming one of them from .com to .gif and it should open in Windows Picture and Fax viewer.

Tom