cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 7

ENS 10.7, Exploit 8003 rule, False?, COMPATTELRUNNER.EXE, PS, -FeatureName IIS-WebServerRole

Windows Compatability Telemetry (COMPATTELRUNNER.EXE)

 

Hello all,

Anybody also see this? I's blocked every day once. I asume some Telemetry function.

Greetings from snowy Switzerland 😉

 
 

Windows 10 PRO or ENT different version from 1709 to 1909. (ENG or GER)

ENS 10.7.0.2174

content: 10.6.0.11030

AMCORE: 6200.9189

--------------------------------------------------

 


Module Name:
Threat Prevention

Analyzer Content Creation Date:
1/7/21 11:41:16 PM CET

Analyzer Content Version:
10.6.0.11030

Analyzer Rule ID:
8003

Analyzer Rule Name:
Fileless Threat: Suspicious Powershell Behavior Detected

Source Description:
powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; if((Get-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole).State -eq 'Enabled') { $Path = $env:windir + '\system32\inetsrv\config\applicationHost.Config'; if (Test-Path -Path $Path) { try { [XML]$Xml = Get-Content $Path } catch { $Res = 1 } }; } Write-Host 'Final result:',$Res

Target Hash:
cda48fc75952ad12d99e526d0b6bf70a

Target Signed:
Yes

Target Signer:
CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

Target Parent Process Signed:
Yes

Target Parent Process Signer:
C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS

Target Parent Process Name:
COMPATTELRUNNER.EXE

Target Parent Process Hash:
339de473e8bd33b6a31c264285efc034

Target Name:
POWERSHELL.EXE

Target Path:
C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0

 

6 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: ENS 10.7, Exploit 8003 rule, False?, COMPATTELRUNNER.EXE, PS, -FeatureName IIS-WebServerRole

Hi @bretzeli ,

It appears to be something related to IIS. Not sure if its telemetry though.

Is there a time frame when this happens?

Thanks

bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 7

Re: ENS 10.7, Exploit 8003 rule, False?, COMPATTELRUNNER.EXE, PS, -FeatureName IIS-WebServerRole

Every day one since 03/04.02.2021. Most in the night. That seems to be when it started. Did McAfee change that rule then or MS something?

This is BEFORE the 02/2021 Patchday and we did no approve any 02/2021 MS patches before 11.02.2021 from February.

One machine the Mcafee event 04:00 and at the time absolue noting BEFORE 04:00 in Application, Security, Setup or System in eventviewer. No Schedule Task special at that time

But COMPATTELRUNNER.EXE is temetry and we see new files around 04:00:28 on that machine localy

C:\Windows\appcompat\UA\C:\Windows\appcompat\UA

C:\Windows\appcompat\appraiser\APPRAISER_TelemetryBaseline_21H2.bin

 

05:04, 03:54, 04:34, 04:19

 

So customer and partner concludes THAT this is a false positive. 😉

Please fix or tell us if this is fixed in 02/2021 Release of ENS.

 
 

 

 
 
 

 

bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

ENS: It's a Microsoft Patch | It's compattelrunner (Windows Update Patch) | ATP Would Block!

Hello,

Rule 8003

03.05.2021, Still same problem with ATP Module on German W10 1909.

 

Any from McAfee inersted in this SINCE all customer have to MOVE to ENS?

 

Greetings from Switzerland big McAfee Partner

 

Module Name:

Threat Prevention

Analyzer Content Creation Date:

4/6/21 3:34:22 AM CEST

Analyzer Content Version:

10.6.0.11299

Analyzer Rule ID:

8003

Analyzer Rule Name:

Fileless Threat: Suspicious Powershell Behavior Detected

Source Description:

powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; if((Get-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole).State -eq 'Enabled') { $Path = $env:windir + '\system32\inetsrv\config\applicationHost.Config'; if (Test-Path -Path $Path) { try { [XML]$Xml = Get-Content $Path } catch { $Res = 1 } }; } Write-Host 'Final result:',$Res

Target Hash:

cda48fc75952ad12d99e526d0b6bf70a

Target Signed:

Yes

Target Signer:

CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

Target Parent Process Signed:

Yes

Target Parent Process Signer:

C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS

Target Parent Process Name:

COMPATTELRUNNER.EXE

Target Parent Process Hash:

339de473e8bd33b6a31c264285efc034

Target Name:

POWERSHELL.EXE

Target Path:

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0

Target File Size (Bytes):

451584

Target Modify Time:

3/19/19 6:46:56 AM CET

Target Access Time:

3/19/19 6:46:56 AM CET

Target Create Time:

3/19/19 6:46:56 AM CET

API Name:

SetEnvironmentVariableW

First Action Status:

Not available

Second Action Status:

Not available

Description:

ExP:Illegal API Use was detected as an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the SetEnvironmentVariableW API. It wasn't blocked because Exploit Prevention was set to Report Only.

Attack Vector Type:

Local System

Adaptive Threat Protection Events

ZeeArhaan
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: ENS: It's a Microsoft Patch | It's compattelrunner (Windows Update Patch) | ATP Would Block!

Hello @bretzeli 

Please note by default, this Signature ID 8003 is Set to Low.

If you wish to have this rule enabled, please add exclusion as below and monitor if that resolves your issue.

Note: please make sure you are creating a duplicate EP policy and test this on a couple of systems before applying this policy on all the machines.

Exclusions:

Exclusion Type: Illegal API Use - Buffer Overflow
Process
Name: POWERSHELL.EXE
File name or path (can include * or ? wildcards): C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
Caller Module
Name: COMPATTELRUNNER.EXE
MD5 hash: 339de473e8bd33b6a31c264285efc034
API
Name: SetEnvironmentVariableW
Signatures
Signatures ID (comma-separated): 8003

Thanks

Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a solution" if this reply resolves your query!
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: ENS: It's a Microsoft Patch | It's compattelrunner (Windows Update Patch) | ATP Would Block!

Hello,

Yeah turn it off as always the best solution?

Ahh, Common 😉

First thank you for showing a possible solution. Custom IPS rules as mentioned need to be tested and if faulty take out the whole environment at once... (So we know how but never a good solution we think)

1) Why is the RULE only low? Do you cover that already in another module like ATP better?

2) From our side as partner > We will have to change that on 23 existing EPO customers. Why don't you include that in the next RULE update for all customer? Since it's nothing else than a BUG when it catches a Windows Update Patch from Microsoft.

For 2) we in general have a problem with catching up in distribution of the rules to all our customers.

We need a tool or solution for all EPO on Premise customers our side where we can:

a) Define a set of STANDARD Exploit Rules which will pull for all customers

b) Then a set of CUSTOMER Exploit rules that may cover special needs per customer EPO

Then we simply miss a solution Mcafee Partner side where we can manage the IPS Rules at once for all customer. Like there is change or we see a False/Positive in a rule like now AND we want to change that asap for all customers.

If Mcafee does not provide such a tool in near future we will begin developing such a solution for ours elf.

Grettings from Switzerland

 

 

 

 

 

 

ZeeArhaan
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: ENS: It's a Microsoft Patch | It's compattelrunner (Windows Update Patch) | ATP Would Block!

Thank you for your response, yes your points make sense, however, that is something which can be clarified by working with McAfee technical support, I would request you to raise an SR with McAfee Technical Support so that probably, the engineer can take your points and work with the EP team to have this addressed. in the upcoming EP content updates.

https://support.mcafee.com/webcenter/portal/supportportal/pages_home?pageTemplate=null

Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a solution" if this reply resolves your query!
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community