Think you have a false positive on this rule?

Sid 1-48800

Message

OS-WINDOWS Microsoft Windows arbitrary file read attempt

Summary

This event is generated when an attempt to read a protected arbitrary file on Microsoft Windows is observed.

Impact

Potential Arbitrary File Read

Detailed information

This vulnerability abuses MsiAdvertiseProduct to trigger an arbitrary file read that would allow an attacker to read protected files without the correct permissions.

Affected systems

  • Microsoft Windows

Ease of attack

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0636