cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
pro79
Level 7
Report Inappropriate Content
Message 1 of 1

ENS Exploit Protection PowerShell Registry Bug?

Hi there,

we're using PowerShell for login scripts in an AD domain for quite some time right now and accidentally, because several settings weren't applied any more to new PCs, I came across something that looks like a quirk/bug to me:

On a machine with ENS 10.6.1 Threat Prevention installed and Exploit Protection active, try writing to a default value in Registry using PowerShell and New-ItemPorperty:

# Prerequisite
New-Item -Path HKCU:\Software\EnsTest -Force

# Works
New-ItemProperty -Path HKCU:\Software\EnsTest -Name 'Test' -PropertyType String -Value 'Some text' -Force

# '(default)' Crashes PowerShell
New-ItemProperty -Path HKCU:\Software\EnsTest -Name '(default)' -PropertyType String -Value 'Some text' -Force

PowerShell just closes (crashes) and only on writing to '(default)'. What is more, there is NO logging entry in the ENS event log so no indication of anything blocked or the like.

Windows Event  Log:

Name der fehlerhaften Anwendung: powershell.exe, Version: 10.0.17134.1, Zeitstempel: 0x05e7290f
Name des fehlerhaften Moduls: HIPHandlers64.dll, Version: 10.6.0.9246, Zeitstempel: 0x5ccff778
Ausnahmecode: 0xc000000d
Fehleroffset: 0x00000000000071cc
ID des fehlerhaften Prozesses: 0x12e0
Startzeit der fehlerhaften Anwendung: 0x01d51531df335502
Pfad der fehlerhaften Anwendung: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Pfad des fehlerhaften Moduls: C:\Program Files\McAfee\Endpoint Security\Threat Prevention\Ips\HIPHandlers64.dll
Berichtskennung: 66eb5fce-b3d2-4ee6-a75f-71267377e3ee
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

Tested on:

Windows 10 1803 & 1809 with current hotfixes

Endpoint Security Platform: 10.6.1.1206

Threat Protection: 10.6.1.1273

(managed by ePO)

If you turn "Exploit Protection" off in the administrative settings of ENS the command works/no crash.

Has anyone experienced this as well? Would that warrant a support ticket or am I overlooking something?

Thanks!

- Markus

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community