cancel
Showing results for 
Search instead for 
Did you mean: 
fabhoo
Level 8

Exclusion of specific "ExP:Invalid Call" doesn't work

Hey there!

I'm getting a lot of this exploit prevention threats:

Event Received Time: 11/16/17 7:05:33 AM

Event Generated Time: 11/15/17 3:24:17 PM

Agent GUID: 4E52918C-60CF-11E7-2995-3C52823F0B67

Detecting Prod ID (deprecated): ENDP_AM_1020

Detecting Product Name: McAfee Endpoint Security

Detecting Product Version: 10.5.3.3264

Detecting Product Host Name: NB08295

Detecting Product IPv4 Address: 10.51.2.99

Detecting Product IP Address: 10.51.2.99

Detecting Product MAC Address: 3c52823f0b67

DAT Version:

Engine Version:

Threat Source Host Name:

Threat Source IPv4 Address: 10.51.2.99

Threat Source IP Address: 10.51.2.99

Threat Source MAC Address:

Threat Source User Name:

Threat Source Process Name:

Threat Source URL:

Threat Target Host Name: NB08295

Threat Target IPv4 Address: 10.51.2.99

Threat Target IP Address: 10.51.2.99

Threat Target MAC Address:

Threat Target User Name:

Threat Target Port Number:

Threat Target Network Protocol:

Threat Target Process Name: IEXPLORE.EXE

Threat Target File Path: C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE

Event Category: Host intrusion buffer overflow

Event ID: 18055

Threat Severity: Critical

Threat Name: ExP:Invalid Call

Threat Type: Exploit Prevention

Action Taken: Would block

Threat Handled: True

Analyzer Detection Method: Exploit Prevention

Events received from managed systems

Event Description: A suspicious call was detected and blocked

Additional Event details from VirusScan Enterprise

Endpoint Security

Module Name: Threat Prevention

Analyzer Content Creation Date: 11/15/17 3:19:35 PM

Analyzer Content Version: 10.5.0.8137

Analyzer Rule ID: 6015

Target Hash: 41c5d70956a565f7ae1979c9c165ea84

Target Signed: Yes

Target Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION

Target Parent Process Signed: Yes

Target Parent Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION

Target Parent Process Name: IEXPLORE.EXE

Target Parent Process Hash: 1bb97e45d30d6884217b70e215591f97

Target Name: IEXPLORE.EXE

Target Path: C:\PROGRAM FILES (X86)\INTERNET EXPLORER

Target File Size (Bytes): 815312

Target Modify Time: 9/9/17 3:47:21 AM

Target Access Time: 11/6/17 8:17:32 AM

Target Create Time: 11/6/17 8:17:32 AM

API Name: InternetReadFile

First Action Status: Not available

Second Action Status: Not available

Description: ExP:Invalid Call was detected as an attempt to exploit C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE called from module MCIEPLUGIN.DLL, which targeted the InternetReadFile API. It wasn't blocked because Exploit Prevention was set to Report Only.

Attack Vector Type: Local System

As far as i discovered, thats not really a threat and can be excluded. So i went to the exploit prevention policies and looked for Rule ID 6015. I found it, but it's disabled and wasn't set to report oder block.

So i created this exclusion, but it won't work, i still get those events. what am i doing wrong here?:

01.PNG

02.PNG


How can i exclude this certain type of threat? Is there a best practice guide for handling such events?

Thanks a lot for your help!

0 Kudos
2 Replies

Re: Exclusion of specific "ExP:Invalid Call" doesn't work

Hi Fabhoo,

I'm experiencing a similar scenario but I wanted to know did you flag this as not related to a threat?

I observe the same description as you mentioned. Any help would be really appreciated!


Thanks,
Tarun
(feel free to reach out to me at- tarun.singh1092@gmail.com)

0 Kudos
dcinotti
Level 7

Re: Exclusion of specific "ExP:Invalid Call" doesn't work

Please see KB90074

This issue is expected to be resolved in Endpoint Security 10.5.3 Hotfix 2

https://kc.mcafee.com/corporate/index?page=content&id=KB90074&actp=null&viewlocale=en_US