cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 6

ENS Exploit Prevention is blocking USB devices

Jump to solution

Hi There,

I have a customer who was testing ENSTP, and reported this issue today. As per my customer, when he plugging a usb device, the usb cant initialize correctly, in Windows Device Manager, can see an error saying the device cant be initialized.

==================================

ENS Platform: 10.6.1.1607

ENS Threat Prevention: 10.6.1.1666 // DAT, Engine are updated correctly.

McAfee Agent 5.5.1/ McAfee ePO 5.10

OS: Windows 1809

tested 3 nodes and 2 of them encountered this issue.

===================================

I remoted to my customer in the afternoon, seems once disable Exploit Prevention, the issue can be resolved.

I enabled debug logging for Exploit Prevention module, but seems there didnt has useful information in the debug logs:

11/25/2019 03:55:12.440 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: Enter >> Persist PreLoad
11/25/2019 03:55:12.443 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: Exit << Persist PreLoad, spent 0ms
11/25/2019 03:55:12.445 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: GetHash from vtp MD5 , file not found System
11/25/2019 03:55:12.446 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: Persist hash Target is missing or a folder
11/25/2019 03:55:12.448 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: === AP received aac reaction event, Send[false] ===
PP Name : IDS_BLADE_NAME_SPB
Policy GUID : {A0D8A7A8-91F8-7AC6-AC44-785FA807C3DD}
Rule GUID : {32F221A2-843A-1E7C-748D-38EE88C631BC}
PP GUID[0] : {EA334ECD-7513-486B-A265-0C698FACBB06}
Reaction : AAC_REACTION_BLOCK [16] IDS_ACTION_BLOCKED:IDS_BLADE_NAME_GEN
Rule Description: ABE1073E-C616-4DC1-AEE1-3B6485B67B86::BOPAP||USB Storage Device Inserted
Group Description:
EventID : 1092
Object Type : AAC_OBJECT_KEY
Object Name : HKLM\SYSTEM\CONTROLSET001\SERVICES\USBSTOR\ENUM\
Process Name : System
Process Dll Path :
Process Id : 0x0000000000000004
Thread Id : 0x00000000000040dc
Target Process Id: 0x0000000000000000
Timestamp : 0x01d5a3a8b89ca702, 2019-11-25T07:55:12
Authentication Id: 0x0000000000000000
Create Dispsntn : 0x00000008
NT Access Mask : 0x00000000
Access Mask : 0x04000006 IDS_AAC_REQ_WRITE:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN
Dos Key Name : HKEY: <null> Value Name:<null>
Reg Val Data : Type 0 Len[0]
RULE_ID : 1157
RULE_DESCRIPTION : USB Storage Device Inserted
CMD_LINE :
USER_NAME :I: NT AUTHORITY\SYSTEM
THREAT_CATEGORY :T: IDS_IPS_THREAT_CATEGORY_REGISTRY:IDS_BLADE_NAME_GEN
CREATED_TIME :I:
MODIFIED_TIME :I:
ACCESSED_TIME :I:
FILE_SIZE :I: 0
VTP_TRUST :I: [1] INT8: 1
CERT_NAME :I: ** N/A ** SourceProcessSigner, AAC_MATCH_CERT_NAME
MD5_A :I: [0] HASH: ** N/A ** SourceProcessHash, AP_DATA_MD5
PROCESS_SIGNED :I: false
SIGNER_TRUSTED :I: false
PROCESS_ID :I: [8] INT64: 4
FILE_NAME :I: System
FILE_PATH :I: System
X_REMOTE_MACHINE_ADDRESS :I: <null>
ANALYZER_ID :T: ABE1073E-C616-4DC1-AEE1-3B6485B67B86
ANALYZER_NAME :T: McAfee Endpoint Security
ANALYZER_VERSION :T: 10.6.1
CONTENT_VERSION :T: 10.6.0.9684
CONTENT_CREATED :T:
RULE_DESCRIPTION :T: USB Storage Device Inserted
ACTION_TAKEN :T: IDS_ACTION_BLOCKED:IDS_BLADE_NAME_GEN
THREAT_TYPE :T: IDS_THREAT_TYPE_VALUE_BOPAP:IDS_BLADE_NAME_GEN
DETECTED_TIME_UTC :T: 2019-11-25T07:55:12
THREAT_HANDLED :T: true
BLADE_NAME :T: IDS_BLADE_NAME_SPB
ATTACK_VECTOR_TYPE :I: Unknown
TECH_NAME :T: IDS_THREAT_TYPE_VALUE_BOPAP:IDS_BLADE_NAME_GEN
DURATION_BEFORE_DETECTION:I: 0
ACCESS_MASK_TXT :T: IDS_AAC_REQ_WRITE:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN
CREATED_TIME :T:
MODIFIED_TIME :T:
ACCESSED_TIME :T:
FILE_SIZE :T: 0
VTP_TRUST :T: ** N/A ** Target_VTP_TRUST, AAC_MATCH_VTP_TRUST
FILE_PROPERTIES :T: ** N/A ** FileProperties, AAC_MATCH_FILE_PROPERTIES
CERT_NAME :T: ** N/A ** TargetSigner, AAC_MATCH_CERT_NAME
MD5_A :T: [0] HASH: ** N/A ** TargetHash, AP_DATA_MD5
PROCESS_SIGNED :T: false
SIGNER_TRUSTED :T: false
FILE_NAME :T:
FILE_NAME :T:
FILE_PATH :T: HKLM\SYSTEM\CONTROLSET001\SERVICES\USBSTOR\ENUM\
USER_NAME :T: SYSTEM
TARGET_HOST_NAME :T: LAPTOP-EORDI8A8
DRIVE_TYPE :T: ** N/A ** TargetDriveType, AP_DATA_DRIVE_TYPE
11/25/2019 03:55:32.410 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: Enter >> Persist PreLoad
11/25/2019 03:55:32.411 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: Exit << Persist PreLoad, spent 0ms
11/25/2019 03:55:32.413 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: GetHash from vtp MD5 , file not found System
11/25/2019 03:55:32.415 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: Persist hash Target is missing or a folder
11/25/2019 03:55:32.416 PM mfeesp(8420.4204) <SYSTEM> ApBl.BOPAP.Debug: === AP received aac reaction event, Send[false] ===
PP Name : IDS_BLADE_NAME_SPB
Policy GUID : {A0D8A7A8-91F8-7AC6-AC44-785FA807C3DD}
Rule GUID : {32F221A2-843A-1E7C-748D-38EE88C631BC}
PP GUID[0] : {EA334ECD-7513-486B-A265-0C698FACBB06}
Reaction : AAC_REACTION_BLOCK [16] IDS_ACTION_BLOCKED:IDS_BLADE_NAME_GEN
Rule Description: ABE1073E-C616-4DC1-AEE1-3B6485B67B86::BOPAP||USB Storage Device Inserted
Group Description:
EventID : 1092
Object Type : AAC_OBJECT_KEY
Object Name : HKLM\SYSTEM\CONTROLSET001\SERVICES\USBSTOR\ENUM\
Process Name : System
Process Dll Path :
Process Id : 0x0000000000000004
Thread Id : 0x0000000000002c44
Target Process Id: 0x0000000000000000
Timestamp : 0x01d5a3a8c483e1a0, 2019-11-25T07:55:32
Authentication Id: 0x0000000000000000
Create Dispsntn : 0x00000008
NT Access Mask : 0x00000000
Access Mask : 0x04000006 IDS_AAC_REQ_WRITE:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN
Dos Key Name : HKEY: <null> Value Name:<null>
Reg Val Data : Type 0 Len[0]
RULE_ID : 1157
RULE_DESCRIPTION : USB Storage Device Inserted
CMD_LINE :
USER_NAME :I: NT AUTHORITY\SYSTEM
THREAT_CATEGORY :T: IDS_IPS_THREAT_CATEGORY_REGISTRY:IDS_BLADE_NAME_GEN
CREATED_TIME :I:
MODIFIED_TIME :I:
ACCESSED_TIME :I:
FILE_SIZE :I: 0
VTP_TRUST :I: [1] INT8: 1
CERT_NAME :I: ** N/A ** SourceProcessSigner, AAC_MATCH_CERT_NAME
MD5_A :I: [0] HASH: ** N/A ** SourceProcessHash, AP_DATA_MD5
PROCESS_SIGNED :I: false
SIGNER_TRUSTED :I: false
PROCESS_ID :I: [8] INT64: 4
FILE_NAME :I: System
FILE_PATH :I: System
X_REMOTE_MACHINE_ADDRESS :I: <null>
ANALYZER_ID :T: ABE1073E-C616-4DC1-AEE1-3B6485B67B86
ANALYZER_NAME :T: McAfee Endpoint Security
ANALYZER_VERSION :T: 10.6.1
CONTENT_VERSION :T: 10.6.0.9684
CONTENT_CREATED :T:
RULE_DESCRIPTION :T: USB Storage Device Inserted
ACTION_TAKEN :T: IDS_ACTION_BLOCKED:IDS_BLADE_NAME_GEN
THREAT_TYPE :T: IDS_THREAT_TYPE_VALUE_BOPAP:IDS_BLADE_NAME_GEN
DETECTED_TIME_UTC :T: 2019-11-25T07:55:32
THREAT_HANDLED :T: true
BLADE_NAME :T: IDS_BLADE_NAME_SPB
ATTACK_VECTOR_TYPE :I: Unknown
TECH_NAME :T: IDS_THREAT_TYPE_VALUE_BOPAP:IDS_BLADE_NAME_GEN
DURATION_BEFORE_DETECTION:I: 0
ACCESS_MASK_TXT :T: IDS_AAC_REQ_WRITE:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN
CREATED_TIME :T:
MODIFIED_TIME :T:
ACCESSED_TIME :T:
FILE_SIZE :T: 0
VTP_TRUST :T: ** N/A ** Target_VTP_TRUST, AAC_MATCH_VTP_TRUST
FILE_PROPERTIES :T: ** N/A ** FileProperties, AAC_MATCH_FILE_PROPERTIES
CERT_NAME :T: ** N/A ** TargetSigner, AAC_MATCH_CERT_NAME
MD5_A :T: [0] HASH: ** N/A ** TargetHash, AP_DATA_MD5
PROCESS_SIGNED :T: false
SIGNER_TRUSTED :T: false
FILE_NAME :T:
FILE_NAME :T:
FILE_PATH :T: HKLM\SYSTEM\CONTROLSET001\SERVICES\USBSTOR\ENUM\
USER_NAME :T: SYSTEM
TARGET_HOST_NAME :T: LAPTOP-EORDI8A8
DRIVE_TYPE :T: ** N/A ** TargetDriveType, AP_DATA_DRIVE_TYPE
11/25/2019 03:55:32.417 PM mfeesp(8420.13664) <SYSTEM> ApBl.BOPAP.Debug: Enter >> Persist PreLoad
11/25/2019 03:55:32.419 PM mfeesp(8420.13664) <SYSTEM> ApBl.BOPAP.Debug: Exit << Persist PreLoad, spent 0ms
11/25/2019 03:55:32.421 PM mfeesp(8420.13664) <SYSTEM> ApBl.BOPAP.Debug: GetHash from vtp MD5 , file not found System
11/25/2019 03:55:32.422 PM mfeesp(8420.13664) <SYSTEM> ApBl.BOPAP.Debug: Persist hash Target is missing or a folder
11/25/2019 03:55:32.423 PM mfeesp(8420.13664) <SYSTEM> ApBl.BOPAP.Debug: === AP received aac reaction event, Send[false] ===
PP Name : IDS_BLADE_NAME_SPB
Policy GUID : {A0D8A7A8-91F8-7AC6-AC44-785FA807C3DD}
Rule GUID : {32F221A2-843A-1E7C-748D-38EE88C631BC}
PP GUID[0] : {EA334ECD-7513-486B-A265-0C698FACBB06}
Reaction : AAC_REACTION_BLOCK [16] IDS_ACTION_BLOCKED:IDS_BLADE_NAME_GEN
Rule Description: ABE1073E-C616-4DC1-AEE1-3B6485B67B86::BOPAP||USB Storage Device Inserted
Group Description:
EventID : 1092
Object Type : AAC_OBJECT_KEY
Object Name : HKLM\SYSTEM\CONTROLSET001\SERVICES\USBSTOR\ENUM\
Process Name : System
Process Dll Path :
Process Id : 0x0000000000000004
Thread Id : 0x0000000000002c44
Target Process Id: 0x0000000000000000
Timestamp : 0x01d5a3a8c483ea95, 2019-11-25T07:55:32
Authentication Id: 0x0000000000000000
Create Dispsntn : 0x00000008
NT Access Mask : 0x00000000
Access Mask : 0x04000006 IDS_AAC_REQ_WRITE:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN
Dos Key Name : HKEY: <null> Value Name:<null>
Reg Val Data : Type 0 Len[0]
RULE_ID : 1157
RULE_DESCRIPTION : USB Storage Device Inserted
CMD_LINE :
USER_NAME :I: NT AUTHORITY\SYSTEM
THREAT_CATEGORY :T: IDS_IPS_THREAT_CATEGORY_REGISTRY:IDS_BLADE_NAME_GEN
CREATED_TIME :I:
MODIFIED_TIME :I:
ACCESSED_TIME :I:
FILE_SIZE :I: 0
VTP_TRUST :I: [1] INT8: 1
CERT_NAME :I: ** N/A ** SourceProcessSigner, AAC_MATCH_CERT_NAME
MD5_A :I: [0] HASH: ** N/A ** SourceProcessHash, AP_DATA_MD5
PROCESS_SIGNED :I: false
SIGNER_TRUSTED :I: false
PROCESS_ID :I: [8] INT64: 4
FILE_NAME :I: System
FILE_PATH :I: System
X_REMOTE_MACHINE_ADDRESS :I: <null>
ANALYZER_ID :T: ABE1073E-C616-4DC1-AEE1-3B6485B67B86
ANALYZER_NAME :T: McAfee Endpoint Security
ANALYZER_VERSION :T: 10.6.1
CONTENT_VERSION :T: 10.6.0.9684
CONTENT_CREATED :T:
RULE_DESCRIPTION :T: USB Storage Device Inserted
ACTION_TAKEN :T: IDS_ACTION_BLOCKED:IDS_BLADE_NAME_GEN
THREAT_TYPE :T: IDS_THREAT_TYPE_VALUE_BOPAP:IDS_BLADE_NAME_GEN
DETECTED_TIME_UTC :T: 2019-11-25T07:55:32
THREAT_HANDLED :T: true
BLADE_NAME :T: IDS_BLADE_NAME_SPB
ATTACK_VECTOR_TYPE :I: Unknown
TECH_NAME :T: IDS_THREAT_TYPE_VALUE_BOPAP:IDS_BLADE_NAME_GEN
DURATION_BEFORE_DETECTION:I: 0
ACCESS_MASK_TXT :T: IDS_AAC_REQ_WRITE:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN
CREATED_TIME :T:
MODIFIED_TIME :T:
ACCESSED_TIME :T:
FILE_SIZE :T: 0
VTP_TRUST :T: ** N/A ** Target_VTP_TRUST, AAC_MATCH_VTP_TRUST
FILE_PROPERTIES :T: ** N/A ** FileProperties, AAC_MATCH_FILE_PROPERTIES
CERT_NAME :T: ** N/A ** TargetSigner, AAC_MATCH_CERT_NAME
MD5_A :T: [0] HASH: ** N/A ** TargetHash, AP_DATA_MD5
PROCESS_SIGNED :T: false
SIGNER_TRUSTED :T: false
FILE_NAME :T:
FILE_NAME :T:
FILE_PATH :T: HKLM\SYSTEM\CONTROLSET001\SERVICES\USBSTOR\ENUM\
USER_NAME :T: SYSTEM
TARGET_HOST_NAME :T: LAPTOP-EORDI8A8
DRIVE_TYPE :T: ** N/A ** TargetDriveType, AP_DATA_DRIVE_TYPE
11/25/2019 03:55:39.534 PM mfetp(8844.17264) <SYSTEM> TmpLogger.Gbop.Debug: [k] Debug: 0x4,2b7c tracePosition 1 load KisIEProtecter64.dll ImageBase = 0xf720000 (0xf720000) ImageSize = 0x58000

 

Can you teach me how to further troubleshoot this issue? thanks in advance.

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: ENS Exploit Prevention is blocking USB devices

Jump to solution

Exploit prevention signature id 1157 "USB Storage Device Inserted" seems to be getting triggered. If you want USB insertion to not be blocked then disable this exploit prevention signature.

View solution in original post

5 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ENS Exploit Prevention is blocking USB devices

Jump to solution

The event snippet you've pasted here, is an Access Protection Event - not an Exploit Prevention Event:

EventID : 1092, RULE_DESCRIPTION : USB Storage Device Inserted

 

Can you confirm, if you disabled Exploit Prevention or Access Protection?

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 6

Re: ENS Exploit Prevention is blocking USB devices

Jump to solution

I can confirm it was Exploit Prevention module caused this issue. the logs pasted were also from the ExploitPrevention_debug.log.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: ENS Exploit Prevention is blocking USB devices

Jump to solution

Interesting... I'm going to see if I can reproduce this. If not, you would need to collect additional traces and submit these to support. Exploit Prevention isn't something that can be easily looked into yourself.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: ENS Exploit Prevention is blocking USB devices

Jump to solution

This customer is on poc testing and dont have valid grant numbers... i will see if i can contact our sales to help submit a ticket.

@chealey  thanks for your prompt response and looking forward to your reply. please let me know if your require any additional data 😄

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: ENS Exploit Prevention is blocking USB devices

Jump to solution

Exploit prevention signature id 1157 "USB Storage Device Inserted" seems to be getting triggered. If you want USB insertion to not be blocked then disable this exploit prevention signature.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community