cancel
Showing results for 
Search instead for 
Did you mean: 
Troja
Level 14

Malware completely bypasses Application Control

Jump to solution

Hi all,

i have a system where malware is executed to analyze threats. I have a threat which completely bypasses Application Control. How this can be??

If i execute the malware anything is bypassed, real any mcafee security product!

Actually GTI knows the original file. But in fact, if there is a new version of it, and this will happen, why appplication control is not able to protect??

This is my system configuration:

AppCont.jpg

Solidcore Configuration:

C:\>sadmin config show

  CustomerConfig                158 (0x9e)

  MPCompat                      0 (0x0)

  FileRetrySecs                 0 (0x0)

  DoNotApplyAefBackupRules      0 (0x0)

  CustomizedEventCacheSize      1000 (0x3e8)

  EventCacheSize                2 (0x2)

  EventCacheWMHigh              90 (0x5a)

  EventCacheWMLow               70 (0x46)

  FailSafeConf                  0 (0x0)

* FeaturesEnabled               213340175514933423 (0x2f5efc261e318af)

* FeaturesEnabledOnReboot       213340175514933423 (0x2f5efc261e318af)

* FeaturesInstalled             288212725746833663 (0x3ffeff271e318ff)

* FileAttrCTrack                5024 (0x13a0)

* FileDenyReadOptions           1024 (0x400)

* FileDenyWriteOptions          4831 (0x12df)

  FileDiffAttrOnlyTypes         zip,7z,rar,gz,tgz,jpg,gif,tiff,png,bmp,pdf,tar,b

z,bz2,exe,dll,sys,jar

  FileDiffMaxFiles              100 (0x64)

  FileDiffMaxSize               1000 (0x3e8)

  FipsMode                      0 (0x0)

  InvDiffConfig2                2 (0x2)

  InvDiffTimeout                10800 (0x2a30)

  PullInvTimeout                604800 (0x93a80)

* LockdownStatus                0 (0x0)

  LogFileNum                    4 (0x4)

* LogFilePath                   C:\PROGRA~3\McAfee\Solidcore\Logs

  LogFileSize                   2048 (0x800)

  ProdIntegrationConfig         1 (0x1)

* RTEMode                       1 (0x1)

* RTEModeOnReboot               1 (0x1)

  SoPriority                    1 (0x1)

  ssLangId                      Default

* WorkFlowId                    OBSERVE_MODE: AUTO_1

* AgentEventsThreshold          2000 (0x7d0)

  AgentEventsThresholdOnWakeup  2000 (0x7d0)

* SupplierCacheSize             7000 (0x1b58)

  SupplierCacheSizeOnWakeup     7000 (0x1b58)

  ConsumerThreadTimeout         10800000 (0xa4cb80)

  InvDiffAgentEventsThreshold   15000 (0x3a98)

* ObAgentEventsThreshold        100 (0x64)

  ObAgentEventsThresholdOnWakeup        100 (0x64)

* ObSupplierCacheSize           700 (0x2bc)

  ObSupplierCacheSizeOnWakeup   700 (0x2bc)

  ObConsumerThreadTimeout       10800000 (0xa4cb80)

  Accessibility                 0 (0x0)

  EventCacheIntervalMilliSecs   10000 (0x2710)

Memory Protection Features:

C:\>sadmin features list

  activex                        Enabled

  checksum                       Enabled

  deny-read                      Enabled

  deny-write                     Enabled

  discover-updaters              Enabled

  enduser-notification           Enabled

  integrity                      Enabled

  mp                             Enabled

  mp-nx                          Enabled

  mp-vasr                        Enabled

  mp-vasr-forced-relocation      Enabled

  network-tracking               Enabled

  pkg-ctrl                       Enabled

  script-auth                    Enabled

The location where the malware is located is not solidified

C:\>sadmin lu c:\malware

c:\malware\noscan\File_0_pw_infected\Crypt.exe

c:\malware\noscan\File_0_pw_infected\FileZilla_3.8.1_win32-setup.exe

If i execute the Filezilla Installation i receive an error:

AppCont2.jpg

If i execute the crypt.exe file the malware gets active. No Solicdore Event! Nothing.... afterwards it just encrypts the system!

- open command line windows are closed and so on...

1) The location where i started the crypt.exe file shows the help decrypt file.

AppCont3.jpg

2) MWG shows access to the servers in internet (is set not to block to show the behavior)

ipinfo.io is not a "bad" url in GTI.

AppCont4.jpg

How this can be?? Can anyone explain this??

1 Solution

Accepted Solutions
Troja
Level 14

Re: Malware completely bypasses Application Control

Jump to solution

Hi ,

after a long research and checking hundreds of Solidcore Rules i figured out the problem. It is not an Application Control Agent Problem. It is a layer 8 problem. *lol*

If copying files to an endpoint using GPO this always generates an MAC popup on endpoint. Even any netlogon share is whitelisted. The process which copies the files is svchost. Therefore svchost was whitelisted.

Cryptolocker injects code into svchost. So MAC worked as expected, if something is whitelisted this is not blocked.

Cheers

6 Replies
neelima
Level 12

Re: Malware completely bypasses Application Control

Jump to solution

Troja,

What is the response for Filezilaa.exe on Self aproval popup?

also how is crypt.exe executing when it is unsolidified?

0 Kudos
Troja
Level 14

Re: Malware completely bypasses Application Control

Jump to solution

Hi ,

when executing Filezilla.exe, based on policy an information popup is shown. If i click allow, the software can be installed, if i choose block, the installation is blocked.

If i start the crypt.exe, there is now popup, no event, nothing. Even if i activate Change and Integrity Control to monitor txt files (they are encrypted by the threat), there is no event.

Why crypt.exe can be started even the file is unsolidified?? This is my question. How that can be? Why memory protection is not working with this file??

Should i open a service request?

Cheers

0 Kudos
neelima
Level 12

Re: Malware completely bypasses Application Control

Jump to solution

Please do.

0 Kudos
Troja
Level 14

Re: Malware completely bypasses Application Control

Jump to solution

Hi ,

a configuration is suspected. I will check this as soon as possible.

Does some time, because with the latest product extension i cannot remove policy sockets. :-(

Will start with a default policy and afterwards adding rulegroups step-by-step.

Cheers

neelima
Level 12

Re: Malware completely bypasses Application Control

Jump to solution

Troja,

Did you get around to testing this?

0 Kudos
Troja
Level 14

Re: Malware completely bypasses Application Control

Jump to solution

Hi ,

after a long research and checking hundreds of Solidcore Rules i figured out the problem. It is not an Application Control Agent Problem. It is a layer 8 problem. *lol*

If copying files to an endpoint using GPO this always generates an MAC popup on endpoint. Even any netlogon share is whitelisted. The process which copies the files is svchost. Therefore svchost was whitelisted.

Cryptolocker injects code into svchost. So MAC worked as expected, if something is whitelisted this is not blocked.

Cheers