cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Thyssenkrupp
Level 9
Report Inappropriate Content
Message 1 of 7
‎12-27-2021 05:40 AM

ATP/Suspect!dd399 ae46303 alerts

Jump to solution

ATP/Suspect!dd399 ae46303 alerts
I am getting ATP/Suspect!dd399 ae46303 alerts for rundll32.exe on a few WVD machines in my environment. The file seems to be clean, but it appears like maybe someone or something is trying to use the file for nefarious purposes (or this is just a false positive). Can someone shed some light on this please? thank you!


Description: The reputation of the rundll32.exe application is Might be Malicious, which is below the configured containment threshold. Adaptive Threat Protection didn't contain the application because Observe mode is enabled. Duration Before Detection (Days): >7 days Attack Vector Type: Local System Adaptive Threat Protection Events Certificate Name: No Certificate Certificate Hash: None Content Version: Not Available Detection Type: On-Execute Scan File Company Creator: Microsoft Corporation File SHA1 Hash: dd399ae46303343f9f0da189aee11c67bd868222 File MD5 Hash: ef3179d498793bf4234f708d3be28633 File Type: Executable Reputation: Might be Malicious Balance Security For: Balanced Real Protect Scanning - Sensitivity level: Medium Rule Name: Identify target process launching non standard extensions or launched by non-standard actor Rule Description: Mitre-T1036, T1059: Attempts to prevent processes trying to launch non-standard extensions or being launched by non-standard actor Rule Detailed Description: Tactics: Execution, Defense Evasion - Techniques: T1036, T1059. Detects target process launching non standard extensions like CScript is launching a txt file

0 Kudos
Reply
1 Solution

Accepted Solutions
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7
‎12-30-2021 05:38 AM

Re: ATP/Suspect!dd399 ae46303 alerts

Jump to solution

HI @Thyssenkrupp 

Rules and content update are automatic. 

There is no further actions needed from your end.

https://www.mcafee.com/enterprise/en-in/release-notes/threat-intelligence-exchange.html

Was my reply helpful?

If yes, please give me a kudo. If I have answered your query, kindly mark this as solution so that we help other community members together. 

View solution in original post

0 Kudos
Reply
6 Replies
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7
‎12-27-2021 07:08 AM

Re: ATP/Suspect!dd399 ae46303 alerts

Jump to solution

Hi @Thyssenkrupp 

Thank you for reaching out to Community. 

From the provided description, I understand you are looking for information on the detection details. 

From ATP options policy, if observe mode is enabled, then we see this issue. 

"The reputation of the rundll32.exe application is Might be Malicious, which is below the configured containment threshold. Adaptive Threat Protection didn't contain the application because Observe mode is enabled."

The mentioned MD5 hash ef3179d498793bf4234f708d3be28633 seems to be clean from our database records. 

I suggest you to test by disabling the Observe mode and test. 

Was my reply helpful?

If yes, please give me a Kudo. If I have answered your query, Kindly mark this as solution so that together we help other community members. 

 

0 Kudos
Reply
Thyssenkrupp
Level 9
Report Inappropriate Content
Message 3 of 7
‎12-27-2021 08:08 AM

Re: ATP/Suspect!dd399 ae46303 alerts

Jump to solution

Hi, are you suggesting that we turn this off or set it to block? I am concerned that either we do not have ENS configured properly for the WVD environment or it is not compatible with the WVD environment.  https://kc.mcafee.com/corporate/index?page=content&id=KB94364

thank you for any help you can provide!

0 Kudos
Reply
harshgautam
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7
‎12-28-2021 03:24 AM

Re: ATP/Suspect!dd399 ae46303 alerts

Jump to solution

Hi @Thyssenkrupp ,

Thank you for reaching out to us on McAfee Community.

Rule 266: Identify target process launching non-standard extensions or launched by non-standard actor
 
We have seen a few false positives being reported for Rule 266
 
Rule 266: Identify target process launching non-standard extensions or launched by non-standard actor
Description: Attempts to prevent processes trying to launch non-standard extensions or being launched by non-standard actor. For instance, CScript is launching a txt file (Tactics: Execution, Defense Evasion - Techniques: T1036, T1059)
Default State: Evaluate
 
Problem:
It has been observed that anything after.dll followed by , is also considered as an extension
 
example: Target command line: rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie
 
here "dll,davsetcookie" this whole string is considered as extension and hence the rule 266 is triggered.
 
 
The above can be found in ATP debug logging.

Solution, Kindly update to the latest ATP content and the issue will be resolved.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
Thyssenkrupp
Level 9
Report Inappropriate Content
Message 5 of 7
‎12-28-2021 05:16 AM

Re: ATP/Suspect!dd399 ae46303 alerts

Jump to solution
This is extremely helpful, thank you. Can you please tell me how to update to the latest ATP content please? thank you again!
0 Kudos
Reply
Thyssenkrupp
Level 9
Report Inappropriate Content
Message 6 of 7
‎12-30-2021 05:35 AM

Re: ATP/Suspect!dd399 ae46303 alerts

Jump to solution
Can you please tell me how to update to the latest ATP content please?
0 Kudos
Reply
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7
‎12-30-2021 05:38 AM

Re: ATP/Suspect!dd399 ae46303 alerts

Jump to solution

HI @Thyssenkrupp 

Rules and content update are automatic. 

There is no further actions needed from your end.

https://www.mcafee.com/enterprise/en-in/release-notes/threat-intelligence-exchange.html

Was my reply helpful?

If yes, please give me a kudo. If I have answered your query, kindly mark this as solution so that we help other community members together. 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC