cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 9

Attempted Credential Theft does not list file

How do we identify source of Attempted Credential Theft? it is not listed in the log entry under FILE. 2020-07-20 18:30:51.495Z|Activity|Orchestrator |mfeatp | 5940| 9628|Action |post_scan_actions.cpp(3324) | Action Details:: File: , Mode: Enforce , Scanner: Real Protect , Detection Name: Attempted Credential Theft , Reputation: 0 [] , ActionTaken: Block Rule id: 0 , Content Version: Not Available
8 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Attempted Credential Theft does not list file

this events are getting triggered by the rule ID 333. This issue started after the amcore release of 4134 and should be fixed in the coming releases.

In order to mitigate the issue for now , disable the 333 rule id from server settings- -Log on to the ePO console.

-Go to Menu, Configuration, Server Settings.

-Select Adaptive Threat Protection, and select the wanted Security Posture (Productivity, Balanced, or Security).

-Click Edit.

-Select the checkbox for the Rule ID.

-From the Actions drop-down list, select the wanted option (Enabled, Disabled, or Observe).

Click Save.

This is workaround only.

We need to work with our labs and see if this is a Real protect threat or why real protect blocks this. Or if this is a False positive issue. 

We will keep you updated accordingly. 

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 9

Re: Attempted Credential Theft does not list file

thank you.

Do I need to open a SR and provide a MER or do you already have enough information to research?

Highlighted
Level 7
Report Inappropriate Content
Message 4 of 9

Re: Attempted Credential Theft does not list file

we currently use "Balanced" setting and rule ID 333 is in "Observe" mode by default.

Does that make a difference? 

I am worried about disabling the rule entirely and not knowing potential threats are occurring..  I get less than a handful of these in a day.  Many I investigated seem to be machines that were being reimaged.

.. but at the same time, I do not know if this alert is blocking anything important from succeeding??

 

 

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: Attempted Credential Theft does not list file

Hi PAA

I did some internal Testing in our test environments and Possible factors that caused is due to  Credential Theft Protection enabled in Adaptive Threat protection policy. Feature included from April update.

Kindly refer to the screenshot. 

Capture.JPG

Kindly disable this feature or monitor with observe mode enabled and see if this helps. 

This is a short workaround only. 

For detailed investigation, we suggest our customers to open an SR and provide us with debug logs enabled for ATP and we can investigate further.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Attempted Credential Theft does not list file

We're using ENS ATP 10.7. I've started seeing the same thing from a 3 systems in the last few days. The Analyzer method is stated as Real Protect but there is no file path/process highlighted. Other than the detection, there is no info as to why it occurred?  

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: Attempted Credential Theft does not list file

Hi @cybercop 

 

Can you share the details or post a screenshot for us to review. 

 

 

Highlighted

Re: Attempted Credential Theft does not list file

Detection is as below (identifiers removed)

Server ID:

xxx

Event Received Time:

11/2/20 12:52:50 PM GMT

Event Generated Time:

11/2/20 12:51:56 PM GMT

Preferred Event Time:

11/2/20 12:51:56 PM GMT

Agent GUID:

544D4BDA-18AD-11E9-20CE-002324EA95D3

Detecting Prod ID (deprecated):

ENDPATP_1070

Detecting Product Name:

McAfee Endpoint Security

Detecting Product Version:

10.7.0.2059

Detecting Product Host Name:

xxx

Detecting Product IPv4 Address:

xxxx

Detecting Product IP address:

xxxx

Detecting Product MAC Address:

002324ea95d3

DAT Version:

 

Engine Version:

 

Threat Source Host Name:

xxxx

Threat Source IPv4 Address:

xxxxxx

Threat Source IP address:

xxxx

Threat Source MAC Address:

 

Threat Source User Name:

System

Threat Source Process Name:

 

Threat Source URL:

 

Threat Target Host Name:

xxx

Threat Target IPv4 Address:

xxx

Threat Target IP address:

xxx

Threat Target MAC Address:

 

Threat Target User Name:

 

Threat Target Port Number:

 

Threat Target Network Protocol:

 

Threat Target Process Name:

 

Threat Target File Path:

 

Event Category:

Malware detected using heuristics

Event ID:

35116

Threat Severity:

Critical

Threat Name:

Attempted Credential Theft

Threat Type:

Trojan

Action Taken:

Adaptive Threat Protection Blocked

Threat Handled:

True

Analyzer Detection Method:

Real Protect

Events received from managed systems 

 

Event Description:

Adaptive Threat Protection Block Source

Endpoint Security 

 

Module Name:

Adaptive Threat Protection

Analyzer Rule ID:

4320

Analyzer McAfee GTI Query:

No

First Action Status:

Not available

Second Action Status:

Not available

Description:

Unknown

Attack Vector Type:

Local System

Adaptive Threat Protection Events 

 

Certificate Name:

No Certificate

Certificate Hash:

None

Content Version:

Not Available

Detection Type:

On-Execute Scan

File SHA1 Hash:

None

File Type:

Executable

Reputation:

Not Set

Balance Security For:

Productivity

Real Protect Scanning - Sensitivity level:

Low

Rule Name:

Not Applicable

Rule Description:

No rule affected this reputation

Rule Detailed Description:

No rule affected this reputation

 

Highlighted

Re: Attempted Credential Theft does not list file

So I take it that McAfee still haven't fixed this one?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community