cancel
Showing results for 
Search instead for 
Did you mean: 

ENS Exploit Prevention Exclusions - Process

Question about adding process exclusions for Exploit Prevention Illegal API rules. When adding a process exclusion for Illegal API use, the first section is for the process you want to exclude. When I look at the threat event I want to exclude, there is a Target Parent Process and a Target Process. Which one should I enter into the rule?

 

For example below, do I use powershell.exe or snowagent.exe?

 

Module Name: Threat Prevention Analyzer

Content Creation Date: 10/1/18 10:12:48 PM

Analyzer Content Version: 10.6.0.8701

Analyzer Rule ID: 6086

Analyzer Rule Name: Powershell Command Restriction - Command Source

Description: "C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -NONINTERACTIVE -NOPROFILE -COMMAND "& {FUNCTION RUN-SERVER() { PARAM([STRING]$H); $B = NEW-OBJECT BYTE[] 8; $P = NEW-OBJECT SYSTEM.IO.PIPES.ANONYMOUSPIPECLIENTSTREAM -ARGUMENTLIST @([SYSTEM.IO.P

Target Hash: a575a7610e5f003cc36df39e07c4ba7d

Target Signed: Yes Target

Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS

Target Parent Process Signed: Yes

Target Parent Process Signer: C=SE, S=STOCKHOLM COUNTY, L=SOLNA, O=SNOW SOFTWARE AB, CN=SNOW SOFTWARE AB

Target Parent Process Name: SNOWAGENT.EXE

Target Parent Process Hash: 7788333cc188d306772c357cc745daca

Target Name: POWERSHELL.EXE

Target Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0

Target File Size (Bytes): 443392

Target Modify Time: 12/8/16 4:34:22 PM

Target Access Time: 11/7/18 4:27:07 AM

Target Create Time: 11/7/18 4:27:07 AM API

Name: AtlComPtrAssign

First Action Status: Not available

Second Action Status: Not available

Description: ExP:Illegal API Use was detected as an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API. It wasn't blocked because Exploit Prevention was set to Report Only. Attack Vector Type: Local System

3 Replies
ZGreen
Level 9
Report Inappropriate Content
Message 2 of 4

Re: ENS Exploit Prevention Exclusions - Process

It should be the first one since that is the actual API. I ran into the same issue running App-V. App-V which I made the exclusion for could push any product. If you make it for the 2nd one it may not work for any other product you push through the API. Try getting a test policy and placing it on one system to see if it works properly. 

Highlighted
chealey McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: ENS Exploit Prevention Exclusions - Process

Hi @User24390971 

Take a look at this thread - I believe it will be of assistance to you:

https://community.mcafee.com/t5/Endpoint-Security-ENS/Problem-with-exclusion-for-endpoint-threat-pre...

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Kenchee_etf McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: ENS Exploit Prevention Exclusions - Process

Hello @User24390971 

@chealey 's link:


is the link that has the answer to your question.

There you may find my post about "PowerShell Command parameters" where logic is exactly the same and the only difference is that different signatures will trigger when you use different parameters:

Description: "C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -NONINTERACTIVE -NOPROFILE -COMMAND "& {FUNCTION RUN-SERVER() { PARAM([STRING]$H); $B = NEW-OBJECT BYTE[] 8; $P = NEW-OBJECT SYSTEM.IO.PIPES.ANONYMOUSPIPECLIENTSTREAM -ARGUMENTLIST @([SYSTEM.IO.P

hence 6086 signature is triggered of -Command that is passed.

I even mentioned "Signature 6086 executed -Command" as one of examples in my post.

Bet regards.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community