cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JadedbyMcafee
Level 8
Report Inappropriate Content
Message 1 of 4
‎11-26-2020 05:09 AM

Exclusion for Powershell alert from COMPATTELRUNNER.EXE

Jump to solution

 

How do I exclude COMPATTELRUNNER.EXE from this type of alert 

We have turned telemetry down to 0 on Windows 10 Enterprise

 

Threat Target Process Name:Threat Target File Path:Event Category:Event ID:Threat Severity:Threat Name:Threat Type:Action Taken:Threat Handled:Analyzer Detection Method:
POWERSHELL.EXE
C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
Host intrusion buffer overflow
18054
Critical
ExP:Illegal API Use
Exploit Prevention
Blocked
True
Exploit Prevention
Events received from managed systems 
Event Description:
An exploit was attempted and blocked
Endpoint Security 
Module Name:Analyzer Content Creation Date:Analyzer Content Version:Analyzer Rule ID:Analyzer Rule Name:Source Description:Target Hash:Target Signed:Target Signer:Target Parent Process Signed:Target Parent Process Name:Target Parent Process Hash:Target Name:Target Path:Target File Size (Bytes):Target Modify Time:Target Access Time:Target Create Time:API Name:First Action Status:Second Action Status:Description:Attack Vector Type:
Threat Prevention
11/6/20 3:54:40 AM GMT
10.6.0.10858
6086
Powershell Command Restriction - Command
powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
cda48fc75952ad12d99e526d0b6bf70a
Yes
CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
No
COMPATTELRUNNER.EXE
339de473e8bd33b6a31c264285efc034
POWERSHELL.EXE
C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0
451584
3/19/19 4:46:56 AM GMT
3/19/19 4:46:56 AM GMT
3/19/19 4:46:56 AM GMT
AtlComPtrAssign
Not available
Not available
ExP:Illegal API Use Blocked an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API.
Local System
0 Kudos
Reply
1 Solution

Accepted Solutions
hitesh_Reddy
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎11-26-2020 08:25 AM

Re: Exclusion for Powershell alert from COMPATTELRUNNER.EXE

Jump to solution

Hello Jadedby,

Thank you for writing, From the details shared, We are looking at the exploit prevent rule "6087 - Host intrusion buffer overflow" being violated.

Unfortunately, the event formed seems to be choppy, and could not exactly figure the details.

If we are looking at Target Parent Process Name: being "COMPATTELRUNNER.EXE", Please try the below exclusion and test it on 1 machine and see if that helps 

ENS Exploit Prevention policy:

Exclusion Type: illegal API Use
Process: POWERSHELL.EXE
Caller: COMPATTELRUNNER.EXE
API: AtlComPtrAssign

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a solution" if this reply resolves your query!

Hitesh



View solution in original post

Reply
3 Replies
hitesh_Reddy
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎11-26-2020 08:25 AM

Re: Exclusion for Powershell alert from COMPATTELRUNNER.EXE

Jump to solution

Hello Jadedby,

Thank you for writing, From the details shared, We are looking at the exploit prevent rule "6087 - Host intrusion buffer overflow" being violated.

Unfortunately, the event formed seems to be choppy, and could not exactly figure the details.

If we are looking at Target Parent Process Name: being "COMPATTELRUNNER.EXE", Please try the below exclusion and test it on 1 machine and see if that helps 

ENS Exploit Prevention policy:

Exclusion Type: illegal API Use
Process: POWERSHELL.EXE
Caller: COMPATTELRUNNER.EXE
API: AtlComPtrAssign

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a solution" if this reply resolves your query!

Hitesh



View solution in original post

Reply
JadedbyMcafee
Level 8
Report Inappropriate Content
Message 3 of 4
‎11-26-2020 11:41 AM

Re: Exclusion for Powershell alert from COMPATTELRUNNER.EXE

Jump to solution

ok done .. I'll see in the morning .. thanks

 

Process Name
Caller Module Name
API Name
Signatures IDs
Service Name
IP Addresses
Actions
 
          
 
Illegal API Use - Buffer Overflow
POWERSHELL.EXE
COMPATTELRUNNER.EXE
AtlComPtrAssign
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 

 

0 Kudos
Reply
JadedbyMcafee
Level 8
Report Inappropriate Content
Message 4 of 4
‎11-27-2020 08:22 AM

Re: Exclusion for Powershell alert from COMPATTELRUNNER.EXE

Jump to solution

perfect thanks

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC