Since early this morning we are seeing an issues were genuine Java Scripts are being detected as "Suspicious Attachment!script" and deleted on system installed with ENS 10.5.0.596 when it has the AMCore version 2891.0. This happens when a user attempts to run a java script from within Outlook and does not happen with earlier Dats. No other version of AV is affected (10.2 or VSE 8.8). Since I reported it first thing this morning I've had no contact from McAfee other than an email asking for quarantined files to be sent to them. Any one else seeing this. We've had to stop updates and roll back to 2890....Poor again.
I'm having the same issue. Logged into ePO this morning and noticed over 1200+ pieces of "Malware" generated as "Suspicious Attachment!script"
Any thoughts on this, i'd hate to roll back the DAT file.
Thanks in advance.
I had noted two occurrences of this event yesterday, and had noted that one that I managed to get a hold of seemed legitimate. Hadn't had a chance to investigate further yet.
i temporarily resolved this issue while i wait for a new amcore. Created an ens client task to roll back amcore. tech notes, must list sub version.
my task is pictured below.
I haven't read up much but I believe that the endpoint saves a couple versions. So this is restored locally.
I've just had an email forwarded from my SAM with this:
We've had two of escalations today for a false PUP detection of Suspicious Attachment!xxxx. Note that this is only being seen in ENS.
Due to the type of detection driver, this is not something that can be resolved via an extra.dat.
Should you have a customer report this false, the interim solution is for the customer to add the following as PUP exclusions in ENS:
The false should be corrected with tomorrow's DATs. After updating, the customer will want to remove the added exclusions.
I've added these four into my ENS Threat Protection --> Options policy for today, and will test Monday after the new AMCore version comes out.
Thanks johnmoe, for the workaround. I opened a case with McAfee and they told me to excluded Outlook.exe which i didn't want to do and the last resort was to revert the DAT.
Had over 3,000+ hits of Suspicious Attachment!script from ENS
Latest from McAfee 08:45 GMT. " The issue will be dealt with in an AMCore release later today. Although I have the exclusions in that McAfee have recommended (Same as Johnmoe), I'm retaining the policy of not updating until I've tested this one fully..... and I certainly don't recommend Excluding Outlook.exe (Alka).
I understood to Roll back for DAT. But I dont accept exculusion for Outlook.exe. Example outlook.exe high process in McAfee default policy. A lot of threat coming to outlook.exe process..