Jump to content

Recommended Posts

Hello ,

I have created a dummy file with extension of ".dat" on my Desktop(windows 8) .After some time it was detected as a alert with below status "Blocked by Access Protection rule" in my arc sight console.when i observed the file path it was shown as c://windows/explorer.exe with file name as "C:\TEMP\test.dat\".and for the same file it was shown one more alert under the below process "C:\WINDOWS\SYSTEM32\DLLHOST.EXE".Can i have any suggestion why file path is showing as temp file instead of desktop.

i got to know that access protection rule was written in such way it should block any file which ends with .dat . I was clear till that part,but unable to understand how the detection process is happening.

thanks for the help in advance !

Link to post
Share on other sites
  • Root Admin

Hello and :welcome:

Not sure what it is you're actually doing, or what your concern is. Setting a file with a setting like that is very much like those created by threats. They're not normal for a user to do so if it's being triggered that's why. As for exactly how the rules work I'm sorry but that is not public information.

Is there anything else that I can assist you with?

Thank you

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.