cancel
Showing results for 
Search instead for 
Did you mean: 

ENS AMSI False-Positive detections for powershell scripts

Jump to solution

Hello Community,

We have a DevOps team that frequently runs powershell configuration scripts, which invokes remote powershell scriptblocks against development/staging servers. After migrating from VSE to ENS on some servers, these script calls are being detected by ENS:Threat Prevention On-Access scan, specifically the AMSI scan module. The threat name is generic, appearing as AMSI-FHR!03E62A076896 (randomizes after the AMSI- for each new detection). It's flagging that C:\Windows\System32\wsmprovhost.exe is being invoked and blocking with a description of Script security violation detected and blocked by AMSI. As a work-around, I have had to create a new policy on these servers and put AMSI scanning into observe mode.

I'm currently working on support to get an answer to the following questions

  1. Why is it detecting benign powershell scripts as "malicious"
  2. How does ENS and AMSI integration determine good vs. bad scripts, it seems to detect that legitimate uses of powershell scripts is "bad" so it blocks it, without providing a way to put in exceptions (developers asked if we could whitelist based on code signing)

The idea of AMSI integration is great, because it helped detect an Invoke-Mimikatz that our penetration tester ran, however, the answer I'm getting from McAfee support is to "turn it off" by throwing it into observe mode.

1 Solution

Accepted Solutions
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: ENS AMSI False-Positive detections for powershell scripts

Jump to solution

@kpham90 Correct, unfortunately there is not a way to whitelist scripts at this time. The method you're pursuing is what is available to eliminate and mitigate false positives. Part of this is due to the way that AMSI allows integration/consumption of it's APIs. However, you could still look to submit this as a Product Idea suggestion for future consideration. 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

5 Replies
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: ENS AMSI False-Positive detections for powershell scripts

Jump to solution

Without seeing the script it is tough to guess.   I'd submit it to McAfee as a FP with the detection name. 

 

Dave

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: ENS AMSI False-Positive detections for powershell scripts

Jump to solution

@kpham90 The answer from Support should not be to disable the feature. It is possible they may have suggested observe mode as a temporary way to avoid the false positives in the interim, in the event they are getting out of hand and to prevent removal of your needed script, while you can still monitor for suspicious behavior and take action if necessary.

I second Daveb3d's suggestion; you should work with Support to submit the script to McAfee Labs as a false positive detection. This will allow you to get the answers as to why the script was triggering and to resolve the detection once confirmed as a false. Instructions for proceeding with the submission can be found in KB85567

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Highlighted

Re: ENS AMSI False-Positive detections for powershell scripts

Jump to solution

Yes I have an open case and have submitted the scripts. However, due to false-positives being production impacting, we have opted to put all of our policies to have AMSI go into observe mode only for now until we can get clarification on how ENS and AMSI integration determines bad vs. good scripts. It appears to be simple signature matching based on behavior, however, this also stops legitimate scripts from functioning and we can't have that impacting our production environments. Also, there is no method to "whitelist" scripts, based on something like code signing from what I can tell.

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: ENS AMSI False-Positive detections for powershell scripts

Jump to solution

@kpham90 Correct, unfortunately there is not a way to whitelist scripts at this time. The method you're pursuing is what is available to eliminate and mitigate false positives. Part of this is due to the way that AMSI allows integration/consumption of it's APIs. However, you could still look to submit this as a Product Idea suggestion for future consideration. 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: ENS AMSI False-Positive detections for powershell scripts

Jump to solution

Wow same here...

We have around 30 EPO Installations which we do for customers BUT beside that have a development of software one level above in our building which we manage Visual Studio, Release Management and the TOP of it we have a non commercial Software Deployment in Powershell for the Developer machines. A nightmore (We called those people Cowboys in Corporate IT)

Here we test internal the Powershell Exploit Rules. 😉

First thing we wanted to know is how to debug the AMSI Module?

"the answer I'm getting from McAfee support is to "turn it off" by throwing it into observe mode."

> That's the PROBLEM we see with the IPS/EXPLOIT Filter. They are afraid of killing complete enterprise of they SUPPLY new rules Activated. So they supply them OFF or in MONITOR mode (Not even Monitor).

Well never understood that. They don't want the risk on their side BUT we have should monitor 24/7H if NEW IPS come in, test overnight deploy to all our customers (HOW?) and then at the end Zero Days anyway goes though? 

(We are aware of TIE/ATP/SANDBOX and have all that with large customers)

 

 

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator