locked
Client Security has detected and successfully responded to the following threat RRS feed

  • Question

  • Would it be possible when I receive these alerts, to tell me where it found the issue. For example:

    Wouldn't it be possible to tell me which website the user was on so I can investiguate or block the site? I get a lot of these but I have no way to determine where they are comming from and If I ask the users they give me a blank stare...

    Thanks

    Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:JS/Agent.FA&threatid=2147594441
    Scan ID: {CE935634-3D8E-43F4-A210-1F30B58C58F4}
    Agent: On Access
    User: DOMAIN\SJuber
    Name: Trojan:JS/Agent.FA
    ID: 2147594441
    Severity: High
    Category: Trojan
    Path Found: file:C:\Temporary Internet Files\Content.IE5\XF55GZYS\popup[1].htm
    Alert Type:
    Process Name: C:\Program Files\Internet Explorer\iexplore.exe
    Detection Type: Concrete
    Status: Suspend

    Monday, August 24, 2009 5:21 PM

Answers

  • Hi Sysgen

    This a great topic that you highlight. I dont believe the URL is logged by FCS but would be a great addition. You may get some help by viewing the clients other pages/files in the Path Found: for clues to what the offending pages might be, in most case they are software pirating sites I have found.  

    C:\Temporary Internet Files\Content.IE5\XF55GZYS\

    Good Luck
    Mark Norman, Praxa
    Tuesday, August 25, 2009 1:21 PM
  • Hi,

     

    Thank you for your post.

     

    As far as I know, Currently FCS does not have a way to tell you the URL of the site that malware was detected on directly. The FCS client is basically scanning the file system writes of downloaded IE files to the temp folder and when it detects malware in these files (such as a malicious JavaScript) the real-time protection will alert that it found a certain threat in file *.js in the IE temp folder. 

     

    Regards,


    Nick Gu - MSFT
    Wednesday, August 26, 2009 5:25 AM

All replies

  • Hi Sysgen

    This a great topic that you highlight. I dont believe the URL is logged by FCS but would be a great addition. You may get some help by viewing the clients other pages/files in the Path Found: for clues to what the offending pages might be, in most case they are software pirating sites I have found.  

    C:\Temporary Internet Files\Content.IE5\XF55GZYS\

    Good Luck
    Mark Norman, Praxa
    Tuesday, August 25, 2009 1:21 PM
  • Yes indeed, but as you've probably seen before, browsing in the temporary internet files folder is not an easy tasks. After receiving an alert I tried looking into the folder but I cannot determine which website triggered the alert.

    Tuesday, August 25, 2009 8:38 PM
  • Hi,

     

    Thank you for your post.

     

    As far as I know, Currently FCS does not have a way to tell you the URL of the site that malware was detected on directly. The FCS client is basically scanning the file system writes of downloaded IE files to the temp folder and when it detects malware in these files (such as a malicious JavaScript) the real-time protection will alert that it found a certain threat in file *.js in the IE temp folder. 

     

    Regards,


    Nick Gu - MSFT
    Wednesday, August 26, 2009 5:25 AM
  • Is it something that could be added in this version or in a future version. It would really help to prevent future infection and it would be nice to be able to block those infected websites.

    Thanks
    Stephane
    Wednesday, August 26, 2009 1:30 PM
  • Hi Stephane,

     

    Thank you for your advice.

     

    I will send this information back to our product team. If anything unclear, please feel free to contact us.

     

    Regards,


    Nick Gu - MSFT
    Friday, August 28, 2009 8:36 AM