cancel
Showing results for 
Search instead for 
Did you mean: 

ENS ATP rule 239

Jump to solution

Hi,

I get a report in the ePO that an application interacts with powershell and is triggering the rule 239 (suspicious execution of an application through execution parameters). I don't know what the application is doing in detail. Are there any general guidelines what an application should not be doing to be compatible with ATP rule 239? I wish I could provide users willing to adapt there Software to the ATP rule 239 with some best practices on how to do that but so far I was unable to find much specifics on what is being considered a "suspicious execution of an application through execution parameters".

Any help clarifying that would be much appreciated!

 

1 Solution

Accepted Solutions
Highlighted
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: ENS ATP rule 239

Jump to solution

The reason you are still seeing detections is because the rule 239 contains various detection triggers.

Yes, if you raise an SR we can submit all the information to our engineering team and ask them to review and make suggestions if possible. We may even be able to do something from our side.

We would ask you to reproduce the issue with ENS debug logging enabled and then for you to provide an MER along with a very detailed description of what the application is used for, what actions it triggers, vendor of the application, etc. > the more information you can provide, the better. With a generic description we would not be able to submit the request to engineering.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
4 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: ENS ATP rule 239

Jump to solution

I'm afraid the specifics would be considered company secrets so wouldn't be able to be shared. But here are some thoughts:

- Review how the application gets called / initiated - it's likely the same way malware can be launched

-  Review what applications, executables or commands are being called by the applications, i.e. what command line usage is happening when the app is running

 

A good thing to do from our side, would be to submit the application via GetClean. This will help whitelist the application.

https://kc.mcafee.com/corporate/index?page=content&id=KB73044

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: ENS ATP rule 239

Jump to solution

The application itself has already went though the GetClean process and has an Known Trusted reputation in the GTI. However this does not change the behavior of ENS ATP with the 239 Rule - the action is still getting blocked despite the files positive reputation.

While I get it some configuration details cannot be shared publicly it is rather troublesome in a case of a false positive rule 239 detection to mitigate the problem and rewrite a custom made application if the customer does not know what to look for.

Would some assisted false positive 239 rule trigger search in the application be possible with open SR?

Highlighted
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: ENS ATP rule 239

Jump to solution

The reason you are still seeing detections is because the rule 239 contains various detection triggers.

Yes, if you raise an SR we can submit all the information to our engineering team and ask them to review and make suggestions if possible. We may even be able to do something from our side.

We would ask you to reproduce the issue with ENS debug logging enabled and then for you to provide an MER along with a very detailed description of what the application is used for, what actions it triggers, vendor of the application, etc. > the more information you can provide, the better. With a generic description we would not be able to submit the request to engineering.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: ENS ATP rule 239

Jump to solution

Can you post the command line of it?   I can probably guess why it is triggering. 

 

Dave

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community