cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
_VR_
Level 8
Report Inappropriate Content
Message 1 of 8

ENS expert rule for Windows 10 NTFS vulnerability

Hello all.

There was new unpatched vulnerability discovered which allows corrupt MFT by one single command.

Without elevation to Admin Rights. It can be triggered by different ways: links, url, command file etc.

Its about NTFS Index Attribute, or '$i30' , detailed description:

https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-thi...

Can we get ENS expert rule to prevent such calls ?

Or maybe McAfee will cover this in next Exploit Prevention Content update ?

- - - - - - - - -
All warfare is based on deception
7 Replies
mmuthuga
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: ENS expert rule for Windows 10 NTFS vulnerability

Hi @_VR_ 

Refer following content links to create ENS expert rule.

Link1 
Link2 
Link3 

Please create a Technical support Malware ticket to check on coverage, expert rule for this vulnerability.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

_VR_
Level 8
Report Inappropriate Content
Message 3 of 8

Re: ENS expert rule for Windows 10 NTFS vulnerability

Hi @mmuthuga , thanks for quick response.

Unfortunately, before create post I already saw those sources.

1st link - common info about expert rules, couple examples but none about file attribute operation (!)

2nd link - nice video, but little bit outdated - they was recorded at time when expert rule was introduced (10.5.3). Nowadays we use 10.7

3rd link - still no example of attribute reading. I did not know exactly what operation I must block. It is not file creation or process execution. 

I hope that I can find something similar there https://github.com/mcafee/ExpertRules

I will try to create rule but still wait for help.

Important:

The reason why I am asking example of working rule is simple - we dealing with file system hooks and I don`t want to corrupt NTFS on thousands of system just because of lack detailed and actualized examples of expert rules. Hope you understood my point.

I will be very grateful if someone from McAfee can write and test working rule for this particular case.

It is perfect case for separate KB. Because until MS decide to fix this, it can be used to corrupt systems.

- - - - - - - - -
All warfare is based on deception
mmuthuga
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: ENS expert rule for Windows 10 NTFS vulnerability

Hi @_VR_ 

Please open a Malware service request with Technical support for coverage, expert rule for the vulnerability from McAfee labs.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

_VR_
Level 8
Report Inappropriate Content
Message 5 of 8

Re: ENS expert rule for Windows 10 NTFS vulnerability

Service Request # 4-21613344951 has been created.

Awaiting for assistance.

- - - - - - - - -
All warfare is based on deception
Daveb3d
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: ENS expert rule for Windows 10 NTFS vulnerability

I haven't tested, but this should work..  at least for some of it.  Rule needs 10.7 though because of the child process command line.

 

Rule {
Process {
Include OBJECT_NAME {
-v "**"
}
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**:\$i30:**" }
Include -access "READ"
}
Match PROCESS {
Include OBJECT_NAME {
-v "cmd.exe"
-v "powershell.exe"
}
Include PROCESS_CMD_LINE {
-v "**:\$i30:**"
}
Include -access "CREATE"
}
}
}

_VR_
Level 8
Report Inappropriate Content
Message 7 of 8

Re: ENS expert rule for Windows 10 NTFS vulnerability

Hi, @Daveb3d  

Thanks for your example. Now I can improvise.

I will test this and report about results.

- - - - - - - - -
All warfare is based on deception
_VR_
Level 8
Report Inappropriate Content
Message 8 of 8

Re: ENS expert rule for Windows 10 NTFS vulnerability

Sorry for long delay. I and customer separate got tested it - rule dint block operation.

Support put hashes of files from initial article to DAT, but this is not full mitigation, since those instructions can be and may be obfuscated. 

Moreover, Redmond (MS) decided to fix this vuln. but only for dev builds of Windows 10:

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-drive-corruption-bug-what...

So, at this time problem is not solved. But thanks for your time and assistance.

- - - - - - - - -
All warfare is based on deception
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community