cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 5

Attempted Credential Theft does not list file

How do we identify source of Attempted Credential Theft? it is not listed in the log entry under FILE. 2020-07-20 18:30:51.495Z|Activity|Orchestrator |mfeatp | 5940| 9628|Action |post_scan_actions.cpp(3324) | Action Details:: File: , Mode: Enforce , Scanner: Real Protect , Detection Name: Attempted Credential Theft , Reputation: 0 [] , ActionTaken: Block Rule id: 0 , Content Version: Not Available
4 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Attempted Credential Theft does not list file

this events are getting triggered by the rule ID 333. This issue started after the amcore release of 4134 and should be fixed in the coming releases.

In order to mitigate the issue for now , disable the 333 rule id from server settings- -Log on to the ePO console.

-Go to Menu, Configuration, Server Settings.

-Select Adaptive Threat Protection, and select the wanted Security Posture (Productivity, Balanced, or Security).

-Click Edit.

-Select the checkbox for the Rule ID.

-From the Actions drop-down list, select the wanted option (Enabled, Disabled, or Observe).

Click Save.

This is workaround only.

We need to work with our labs and see if this is a Real protect threat or why real protect blocks this. Or if this is a False positive issue. 

We will keep you updated accordingly. 

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Attempted Credential Theft does not list file

thank you.

Do I need to open a SR and provide a MER or do you already have enough information to research?

Highlighted
Level 7
Report Inappropriate Content
Message 4 of 5

Re: Attempted Credential Theft does not list file

we currently use "Balanced" setting and rule ID 333 is in "Observe" mode by default.

Does that make a difference? 

I am worried about disabling the rule entirely and not knowing potential threats are occurring..  I get less than a handful of these in a day.  Many I investigated seem to be machines that were being reimaged.

.. but at the same time, I do not know if this alert is blocking anything important from succeeding??

 

 

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Attempted Credential Theft does not list file

Hi PAA

I did some internal Testing in our test environments and Possible factors that caused is due to  Credential Theft Protection enabled in Adaptive Threat protection policy. Feature included from April update.

Kindly refer to the screenshot. 

Capture.JPG

Kindly disable this feature or monitor with observe mode enabled and see if this helps. 

This is a short workaround only. 

For detailed investigation, we suggest our customers to open an SR and provide us with debug logs enabled for ATP and we can investigate further.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community