cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 3

Exclusion of specific "ExP:Invalid Call" doesn't work

Hey there!

I'm getting a lot of this exploit prevention threats:

Event Received Time: 11/16/17 7:05:33 AM

Event Generated Time: 11/15/17 3:24:17 PM

Agent GUID: 4E52918C-60CF-11E7-2995-3C52823F0B67

Detecting Prod ID (deprecated): ENDP_AM_1020

Detecting Product Name: McAfee Endpoint Security

Detecting Product Version: 10.5.3.3264

Detecting Product Host Name: NB08295

Detecting Product IPv4 Address: 10.51.2.99

Detecting Product IP Address: 10.51.2.99

Detecting Product MAC Address: 3c52823f0b67

DAT Version:

Engine Version:

Threat Source Host Name:

Threat Source IPv4 Address: 10.51.2.99

Threat Source IP Address: 10.51.2.99

Threat Source MAC Address:

Threat Source User Name:

Threat Source Process Name:

Threat Source URL:

Threat Target Host Name: NB08295

Threat Target IPv4 Address: 10.51.2.99

Threat Target IP Address: 10.51.2.99

Threat Target MAC Address:

Threat Target User Name:

Threat Target Port Number:

Threat Target Network Protocol:

Threat Target Process Name: IEXPLORE.EXE

Threat Target File Path: C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE

Event Category: Host intrusion buffer overflow

Event ID: 18055

Threat Severity: Critical

Threat Name: ExP:Invalid Call

Threat Type: Exploit Prevention

Action Taken: Would block

Threat Handled: True

Analyzer Detection Method: Exploit Prevention

Events received from managed systems

Event Description: A suspicious call was detected and blocked

Additional Event details from VirusScan Enterprise

Endpoint Security

Module Name: Threat Prevention

Analyzer Content Creation Date: 11/15/17 3:19:35 PM

Analyzer Content Version: 10.5.0.8137

Analyzer Rule ID: 6015

Target Hash: 41c5d70956a565f7ae1979c9c165ea84

Target Signed: Yes

Target Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION

Target Parent Process Signed: Yes

Target Parent Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION

Target Parent Process Name: IEXPLORE.EXE

Target Parent Process Hash: 1bb97e45d30d6884217b70e215591f97

Target Name: IEXPLORE.EXE

Target Path: C:\PROGRAM FILES (X86)\INTERNET EXPLORER

Target File Size (Bytes): 815312

Target Modify Time: 9/9/17 3:47:21 AM

Target Access Time: 11/6/17 8:17:32 AM

Target Create Time: 11/6/17 8:17:32 AM

API Name: InternetReadFile

First Action Status: Not available

Second Action Status: Not available

Description: ExP:Invalid Call was detected as an attempt to exploit C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE called from module MCIEPLUGIN.DLL, which targeted the InternetReadFile API. It wasn't blocked because Exploit Prevention was set to Report Only.

Attack Vector Type: Local System

As far as i discovered, thats not really a threat and can be excluded. So i went to the exploit prevention policies and looked for Rule ID 6015. I found it, but it's disabled and wasn't set to report oder block.

So i created this exclusion, but it won't work, i still get those events. what am i doing wrong here?:

01.PNG

02.PNG


How can i exclude this certain type of threat? Is there a best practice guide for handling such events?

Thanks a lot for your help!

2 Replies
Highlighted

Re: Exclusion of specific "ExP:Invalid Call" doesn't work

Hi Fabhoo,

I'm experiencing a similar scenario but I wanted to know did you flag this as not related to a threat?

I observe the same description as you mentioned. Any help would be really appreciated!


Thanks,
Tarun
(feel free to reach out to me at- tarun.singh1092@gmail.com)

Highlighted

Re: Exclusion of specific "ExP:Invalid Call" doesn't work

Please see KB90074

This issue is expected to be resolved in Endpoint Security 10.5.3 Hotfix 2

https://kc.mcafee.com/corporate/index?page=content&id=KB90074&actp=null&viewlocale=en_US

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community