cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 11
Report Inappropriate Content
Message 1 of 20

ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Being Triggered

Jump to solution

Hi guys and girls!

One of our customers is receiving false alerts whenever an executable named DominoDefrag.exe launches a specific file with a double extension. The alert seen is below:

Suspicious Double File Extension Blocked - Alert Description.PNG

An exclusion is configured for this and is seen below and appears to be setup correctly.

ExP ExclusionExP Exclusion

They are still receiving alerts in respect of this though, is it a requirement of the Exploit Prevention rules to exclude the source process rather than the target? In other words, if DominoDefrag.exe was excluded should this have the desired effect, in respect of Rule ID 413 (Suspicious Double File Extension Blocked) only?

Thanks in advance!

Nick

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Hi @Nick_B 

Yes. ENS in general only supports the exclusion of SOURCE. Not of the TARGET.

You could therefore exclude DominoDefrag.exe but not the .cmd part. If you want to achieve an exclusion based on target,  you could achieve this by creating an Expert Rule instead of using this in-built rule.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

19 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Hi @Nick_B 

Yes. ENS in general only supports the exclusion of SOURCE. Not of the TARGET.

You could therefore exclude DominoDefrag.exe but not the .cmd part. If you want to achieve an exclusion based on target,  you could achieve this by creating an Expert Rule instead of using this in-built rule.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Highlighted
Level 11
Report Inappropriate Content
Message 3 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Hi @chealey 

Thank you, that was helpful!

I've reached out to the customer providing him with the information he needs to create an Expert Rule to cater for their specific requirement, i.e. create an expert rule to allow files with a specific double-extension to be read/launched by a specific process (dominodefrag.exe).

I just created my own test Expert Rule which you can see below. Do you think this would meet the customer's requirements?

Expert Rule ExampleExpert Rule Example

Thanks again!

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Hey @Nick_B 

Looks good! 🙂

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Level 11
Report Inappropriate Content
Message 5 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Thanks @chealey !

I'll keep you posted on how it goes.

Highlighted
Level 11
Report Inappropriate Content
Message 6 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Hi @chealey 

I trust you are keeping well?!

The customer replied to me after I provided him with the instructions on creating an Expert Rule saying he has created one of these rules now, not on the actual file in question but rather a test one which he called New Text Document.txt.exe and it is triggering on Rule ID 413 as well as the one he created which has the ID 20002.

Please see below the entry from the Log on the device.

Test Expert Rule (triggering 2 signatures)Test Expert Rule (triggering 2 signatures)

He created the rule locally.

Any ideas why this Expert Rule is not functioning as expected?

Thanks in advance!

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Hey @Nick_B 

It's Friday, always a good day 🙂 Hope you are doing well too!

Sorry, I feel I may have misunderstood you here but creating the Expert rule won't eliminate the default signature being triggered. You would need to turn this rule off to stop it being triggered. The Expert rule would need to be a full replacement of the default 413 rule otherwise you will continue to see the events. Please let me know if that answers you question or if I've horribly misunderstood what you are asking!

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Level 11
Report Inappropriate Content
Message 8 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Heyy @chealey !

No problem at all, easily done! Indeed, Fridays are always welcome.... here comes the weekend (sang in a merry tone) 🙂

So, if we disable the in-built Rule ID 413 then programs executing files with double extensions other than the one specified in the Expert Rule will still be reported on or blocked, is that correct?

Also, just a small point here but if you click the little View button in the right-hand column of the 413 Rule whilst in the Signatures section of the Exploit Prevention policy, it provides a description of it. I've taken a snip of it for quick reference below and the bit I wanted to mention is highlighted. Basically it says to create an exception for legal programs that should not trigger this signature, rather than create an Expert Rule. Sorry if I'm sounding pedantic!

Rule ID 413 descriptionRule ID 413 description

The alert the user received after he launched the file with the double extension is below.

Triggering of the double extension signatureTriggering of the double extension signature

Hopefully this will shed more light on the issue!

Thanks in advance and speak soon!

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

"if we disable the in-built Rule ID 413 then programs executing files with double extensions other than the one specified in the Expert Rule will still be reported on or blocked, is that correct?" > No. You would need to create/ modify the rule you created specifically for this application to make it more generic so it would still block any other executing files with double extensions. The Expert Rule merely helps you be able to specify the TARGET as an exclusion, where this is not possible using the in-built rule set.

Haha, no worries - I fully see your point. Absolutely agree with you on the highlighted part however as I mentioned previously, ENS only has the capability to exclude based on the SOURCE and not the TARGET which is what you want to achieve. Excluding Targets is only possible by creating Expert Rules.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Level 11
Report Inappropriate Content
Message 10 of 20

Re: ENS Exploit Prevention - "Suspicious Double File Extension Blocked" Signature Still Be

Jump to solution

Hiya @chealey 

Yep, that makes perfect sense! I knew there would be a logical explanation.

So, now that we've got that all straightened out, in order to create our Expert Rule (one Ring, whoops I mean Rule to rule them all 😉 ) well sort of, what would you say should go in the content of our Rule? If we take the example of the target being "New Text Document.txt.exe" and the source being "Explorer.exe". 

I created this which I think should cater for it, what do you reckon?

Rule {

Process {

Include OBJECT_NAME { -v “**” }

Exclude OBJECT_NAME { -v “SYSTEM” }

Exclude OBJECT_NAME { -v “Explorer.exe” }

}

Target {

Match THREAD {

Include OBJECT_NAME { -v “**” }

Exclude OBJECT_NAME { -v “**\New Text Document.txt.exe” }

Include -access “READ”

}

}

}

I was wondering if in our Master Replacing Rule (so to speak) should we be excluding SYSTEM?

Also, I was checking out a document written by a fellow named Debasish Mandal - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-mal... not sure if you've seen it but it is pretty useful.

Thanks and catch you soon!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community