cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 1

ENS Exploit Protection PowerShell Registry Bug?

Hi there,

we're using PowerShell for login scripts in an AD domain for quite some time right now and accidentally, because several settings weren't applied any more to new PCs, I came across something that looks like a quirk/bug to me:

On a machine with ENS 10.6.1 Threat Prevention installed and Exploit Protection active, try writing to a default value in Registry using PowerShell and New-ItemPorperty:

# Prerequisite
New-Item -Path HKCU:\Software\EnsTest -Force

# Works
New-ItemProperty -Path HKCU:\Software\EnsTest -Name 'Test' -PropertyType String -Value 'Some text' -Force

# '(default)' Crashes PowerShell
New-ItemProperty -Path HKCU:\Software\EnsTest -Name '(default)' -PropertyType String -Value 'Some text' -Force

PowerShell just closes (crashes) and only on writing to '(default)'. What is more, there is NO logging entry in the ENS event log so no indication of anything blocked or the like.

Windows Event  Log:

Name der fehlerhaften Anwendung: powershell.exe, Version: 10.0.17134.1, Zeitstempel: 0x05e7290f
Name des fehlerhaften Moduls: HIPHandlers64.dll, Version: 10.6.0.9246, Zeitstempel: 0x5ccff778
Ausnahmecode: 0xc000000d
Fehleroffset: 0x00000000000071cc
ID des fehlerhaften Prozesses: 0x12e0
Startzeit der fehlerhaften Anwendung: 0x01d51531df335502
Pfad der fehlerhaften Anwendung: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Pfad des fehlerhaften Moduls: C:\Program Files\McAfee\Endpoint Security\Threat Prevention\Ips\HIPHandlers64.dll
Berichtskennung: 66eb5fce-b3d2-4ee6-a75f-71267377e3ee
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

Tested on:

Windows 10 1803 & 1809 with current hotfixes

Endpoint Security Platform: 10.6.1.1206

Threat Protection: 10.6.1.1273

(managed by ePO)

If you turn "Exploit Protection" off in the administrative settings of ENS the command works/no crash.

Has anyone experienced this as well? Would that warrant a support ticket or am I overlooking something?

Thanks!

- Markus

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community