cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 5

ENS OAS & ATP

Currently have ENS installed (ens.png) with a TIE server on prem.

Trying to install an application called Teramind.  A month ago, we worked on it and found that the executeable changed names every time it installed.  Marked the file(s)/hash as known trusted in TIE.  After doing that, application installed.  Now, though, OAS is blocking it and ATP doesn't appear to be involved.  See "annotation (2).png" for that information.

So.  How do I get this work if ATP isn't blocking it but OAS is?  I can't exclude the file name because it changes and I can't exclude the hash in OAS.  

 

4 Replies
alaskar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: ENS OAS & ATP

Hi @mlajoie 

OAS blocks happens due to DAT detection or ARTEMIS (GTI) detection.

Interestingly, both incorporate more than just DAT/GTI but includes various other factors such as Behavior pattern, process spawning, generic driver detection etc.

Since the file name keeps changing, I would suggest to open a malware support request and submit the exe as sample. We can then submit the file to Lab and see if we can whitelist the file and if possible to suppress future detection of the same file with different names as well.

While raising the SR, please help us by answering the following:
1. what is this application used for?

2. is it a 3rd party or inhouse application? if 3rd party please specify the vendor

3. share us the detection log

Steps to submit a sample:
• put the file in a zip folder. Ensure it is in .zip extension. Preferably use winrar/ 7z
• make it password protected with word "infected" without quotes
• login to mcafee service portal. Support.mcafee.com
• click on the service request
• click on the submit sample
• upload the file
• submit

Hope this helps!

mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: ENS OAS & ATP

I thought the ATP real protect scanner took priority over the OAS scanner?  Is that not the case.  Do they both run?

I ended up creating an exclusion in the ATP policy for the hash and it worked.  OAS no longer triggered.

jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: ENS OAS & ATP

If the file is created every time, the hash change every time and so you cannot allow it by file reputation.
My suggest is to allow the certificate of the file, so you don't have to worry of the hash.
And you can submit the file to McAfee if you know it's a false positive.

mlajoie
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: ENS OAS & ATP

That's a great suggestion.  Interestingly, though, the hash doesn't change - just the file name.

it is a teramind installer.  on the teramind webpage, they say that most AV doesn't have a problem with the installer.  Looking at virus total, though, tells a different story.

Does the installer have to be submitted or can just the hash?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community