To start off, I have roughly 1300 hosts running CSA 5.2. Recently I have start to see a lot of the following events.
The process 'C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE' (as user xxxx) attempted to access 'C:\Documents and Settings\xxxx\Local Settings\Temporary Internet Files\Content.MSO\5FFD11C6.com'. The attempted access was a write (operation = OPEN/CREATE). The operation was denied.
If I look at the alert details I see the following.
Is there a way to tell from the above details if this is malicious or if something (possibly Outlook) changed which is causing these sudden spike in events?
When opening the message, CSA queries the user with something similar to:
"Warning - The process C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE is attempting to modify a potentially dangerous file"" C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.MSO\E6E9956.com"
CSA asks the question for every embedded object and if they click' yes', they can see the pictures. If they click no, the pictures will not display and all they see is the text.
It has to do with the way Outlook handles these objects and what CSA sees Outlook doing.
The only current workaround to prevent these queries is to configure Outlook email security settings to read all email in plain text (or make an exception in CSA).
There are security risks reading email in HTML mode with embedded objects that come from external sources.
The objects can reside on external servers or contain links and scripts that may not be desirable.
Microsoft changed the way Outlook 2007 renders HTML by using Word instead the browser.
This provides enhanced security but CSA still sees it as suspicious because of the way it processes the objects.
I had a bunch of these when we migrated to Outlook 2007. I created an exception for that file pattern.
So I've been trying to repeat the above activity to see if it would generate similar alerts. If I open the email which was triggering the alerts originally, it still triggers the same alert. However, if I compose an email and embed multiple images, CSA does not trigger any alerts while opening the email.
Should this alert on all images/objects? certain file extensions? Any more information on this would be great.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...