Hi guys. In SEPM for SEP 14 I am looking at a computer that had a detection that went to quarantine. Routine setuff. Yet of course attacks are less that routine these days.
But anyway, when I go to Monitors in SEPM, do a Risk search for the past 24 hours, I see this one computer and it's one detected file placed in quarantine. Along the top, the column headers, it shows thiuns like the Action option, the file path of the detection, etc. But what is "User Allowed". It says No here. The SEPM help contents screen doesn't have very good search it seems as "user allowed" just brings up a million unlrelated results. I was about to go Boolean when I realized, humans are smarter, so here I am posting.
Also while I'm at it, I'm curious. The detection seems to be the result of a Word document by email. User clicked the doc..."nothing happened", but the doc never opened. My guess would be this wa a VB sc ript that called out to a server somewhere, downloaded the actual malware, and who knows from there. But, the detection found the file inm the reycle bin. Let's assume the user did not place it there. Have you guys seen virus attacks whereby the dropper or Word doc with macro/vb whatever, that wasn't the malware itself but called in the malware from the net, try to delete itself and only make it to the Recycle Bin?
If I'm making any sense, please answer. But as I wreite this, I feel I need a coffee to wakeup.