Endpoint Protection

I'll do some digging myself, but perhaps someone has an idea already and save me some precious time.........
What was attempting to happen here that my SEP rule to block certain activity happened to block?
Was this LEGIT, or something happening that should have been blocked anyway?
Here are the THREE log entries most fascinating to me -
What is "move networks"
and what is "move mediaplayer" ?

It APPEARS something was attempting to install?


#1:
Event type: Application Control Rules
Event time: 05/05/2009 11:35:14
Severity: Critical
Begin time: 05/05/2009 11:34:17
End time: 05/05/2009 11:34:17
Rule name: Load DLL Attempts_Load_Dll
Alert: Yes
Send SNMP trap: 0
Caller Process ID: 3104
Caller Process Name: C:/Program Files/Internet Explorer/iexplore.exe
Target: C:/Documents and Settings/Valerie.Rice/Application Data/Move Networks/ie_bin/qsp2ie071303000004.dll
User name: Valerie.Rice
Description: Block loading of DLL files from application data folders.

#2:
Event type: Application Control Rules
Event time: 05/05/2009 11:37:15
Severity: Critical
Begin time: 05/05/2009 11:36:18
End time: 05/05/2009 11:36:18
Rule name: File and Folder Access Attempts_File_Write
Alert: Yes
Send SNMP trap: 0
Caller Process ID: 4040
Caller Process Name: C:/Documents and Settings/Valerie.Rice/Local Settings/Temporary Internet Files/Content.IE5/X3P429CZ/MoveMediaPlayer_071303000004[1].exe
Target: C:/Documents and Settings/Valerie.Rice/Application Data/Move Networks/ie_bin/qsp2ie071101000055.dll
User name: Valerie.Rice
Description: prevent creation of DLL files in application data folders


#3:
Event type: Application Control Rules
Event time: 05/05/2009 11:37:32
Severity: Critical
Begin time: 05/05/2009 11:36:32
End time: 05/05/2009 11:36:32
Rule name: Load DLL Attempts_Load_Dll
Alert: Yes
Send SNMP trap: 0
Caller Process ID: 3104
Caller Process Name: C:/Program Files/Internet Explorer/iexplore.exe
Target: C:/Documents and Settings/Valerie.Rice/Application Data/Move Networks/ie_bin/qsp2ie071303000004.dll
User name: Valerie.Rice
Description: Block loading of DLL files from application data folders.

Google tells that the products are from http://www.movenetworks.com but again it all depends where the user got the source from. The browsinig history for the user against the time will get you there but It looks like a legitimate application trying to install itself being stopped by the rules created. But you can submit the files to be sure, They should still be there, Isnt it?

Looks "safe", however it's a violation of "no software installs allowed" rules here.
Either the user instigated it to watch a movie or TV show, OR, the web site attempted to push it like so many do today.
What happened to being able to safely browse the web, not receiving ANY files you didn't ask for, and being able to KNOW that nothing can possibly be installed but what you choose to ALLOW to install by choice?
Microsoft should block ANY attempts to install anything in any place other than the legit program files area - no DLL, no EXE, no nothing other than in permissable folders and by user specific choice.
This is an invasion of personal or business property, IMO.
I'm really glad to see my policy blocks such garbage. We don't allow users to install anything and this helps to ensure that policy.
There are reasons we don't want computers ending up with stuff we don't know about.

ShadowsPapa,

We all know what MS should do, but we have to live in reality!  You have some good rules in place, I wish I were that strict as I restrict our "shared participant" computers through a web proxy hardware based firewall. 

I'm still interested in getting USB drive usage notifications working (in another thread, yes, I'm getting off track, but I'm too lazy to find that thread this morning!).  I enabled everything you posted but do not get email notifications (although I get New Risk Found, Single Risk Even and Unmanaged Computer notifications via email just fine.  Maybe we can take this offline via email again.  I really appreciate your help! :-)

Its the new wave and you have already discussed it in a different thread.
Its now that installers are bypassing regular security by "running themselves" from the only location in which they have "free for all" regardless of the user.
The profile path... 
And we can expect some for of patch for this...