Currently have ENS installed (ens.png) with a TIE server on prem.
Trying to install an application called Teramind. A month ago, we worked on it and found that the executeable changed names every time it installed. Marked the file(s)/hash as known trusted in TIE. After doing that, application installed. Now, though, OAS is blocking it and ATP doesn't appear to be involved. See "annotation (2).png" for that information.
So. How do I get this work if ATP isn't blocking it but OAS is? I can't exclude the file name because it changes and I can't exclude the hash in OAS.
OAS blocks happens due to DAT detection or ARTEMIS (GTI) detection.
Interestingly, both incorporate more than just DAT/GTI but includes various other factors such as Behavior pattern, process spawning, generic driver detection etc.
Since the file name keeps changing, I would suggest to open a malware support request and submit the exe as sample. We can then submit the file to Lab and see if we can whitelist the file and if possible to suppress future detection of the same file with different names as well.
While raising the SR, please help us by answering the following:
1. what is this application used for?
2. is it a 3rd party or inhouse application? if 3rd party please specify the vendor
3. share us the detection log
Steps to submit a sample:
• put the file in a zip folder. Ensure it is in .zip extension. Preferably use winrar/ 7z
• make it password protected with word "infected" without quotes
• login to mcafee service portal. Support.mcafee.com
• click on the service request
• click on the submit sample
• upload the file
Hope this helps!
I thought the ATP real protect scanner took priority over the OAS scanner? Is that not the case. Do they both run?
I ended up creating an exclusion in the ATP policy for the hash and it worked. OAS no longer triggered.
If the file is created every time, the hash change every time and so you cannot allow it by file reputation.
My suggest is to allow the certificate of the file, so you don't have to worry of the hash.
And you can submit the file to McAfee if you know it's a false positive.
That's a great suggestion. Interestingly, though, the hash doesn't change - just the file name.
it is a teramind installer. on the teramind webpage, they say that most AV doesn't have a problem with the installer. Looking at virus total, though, tells a different story.
Does the installer have to be submitted or can just the hash?