cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 11
Report Inappropriate Content
Message 1 of 12

ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

Beginning Friday evening  4/10 around 7pm we started receiving ATP event description "Adaptive Threat Protection Block Source" for GoogleUpdate.exe, event ID 35116.  The alert is also showing "No Certificate" in the Certificate Name field.  Analyzer ID is 4320, real protect scanning sensitivity level is low.  Currently we've received alerts for this on 18 different systems.  GoogleUpdate.exe is not the only executable generating this alert.  Other random detections that have generated this event 35116 are powershell.exe, webexmta.exe, procexp64.exe, ptupdate.exe, SysInfo64.exe.  The threat target process in EVERY case is lsass.exe.  We are running ATP 10.7.0.1740, and AMCore Content version 4041.  I've reviewed the EPO audit logs and don't see any changes that I would've made to cause this. I'm unable to make sense of these detections, and at this time believe they're false positive.  Has anyone else received these detections, or does anybody know why I would be?ATP1.jpgno cert.jpgdetection.jpg

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

Just added the very latest ATP extension, and the option is now there. It looks like you introduced something before you released any control over it!

View solution in original post

11 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

I am seeing exactly the same thing, various apps but also threat target process in EVERY case is lsass.exe

Highlighted
Level 11
Report Inappropriate Content
Message 3 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

How long ago did the issue start for you.  Friday evening 4/10 as well?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

They started Thursday morning for me, once I started pushing out AMCore 4036

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

Hi Nashcoop,

The events you are receiving is a result of a new feature in ENS 10.7 and its called Credential Theft Protection which is part of ATP.
This event appears when an Application tries to access/make changes to lsass.exe. Lsass caches credentials of users for ease of work without having to reenter passwords. But, Lsass is always targeted by malware in order to obtain credentials. While the Application itself could be genuine but, the behavior is what the detection is based on.

The detection is genuine which is by design and is not false positive.

If you are having issues due to the blocks done by CTP, you could go ahead and keep the feature on Observe mode under ATP option policy or you can also exclude few low risk applications like googleupdate.exe from On Access scan (not recommended for High risk processes such as Powershell). You can also disable the feature from ATP option policy > Real Protect Scanning (Windows only)>un-check "Enable Credential Theft Protection"


Warm Regards,
Hasib
McAfee Technical Support

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

realprotect.PNG

I'm running ePO 5.10 with update 6, ENS 10.7, ATP 10.7.0.1740 and I'm not seeing the Enable Credential Theft Protection option

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

Just added the very latest ATP extension, and the option is now there. It looks like you introduced something before you released any control over it!

View solution in original post

Highlighted

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

We are experiencing the same problem with MicrosoftEdgeUpdate.exe and GoogleUpdate.exe

Highlighted
Level 11
Report Inappropriate Content
Message 9 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

Nice.  So we've been having this issue since 04/10 because McAfee introduced a new functionality four days prior to releasing the extension that allows us to manage that new functionality.  Additionally, I still haven't seen an SNS subscription notification that mentioned this new funtionality or the release of the new extension.extension.jpg  Way to go McAfee.  

Highlighted
Level 11
Report Inappropriate Content
Message 10 of 12

Re: ATP Detecting GoogleUpdate.exe as Threat Name "Attempted Credential Theft"

Jump to solution

Thanks ChrisQ.  Another fine moment for McAfee.  

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community