My rule looks almost the same as Yours (screenshots of the rule below)
tried to replace $ witch * or ? but it didnt help
$ in the folder name isn't the problem (copied the vbs file to a folder named APPDATA\LOCAL\TEMP\0LDTMP0\ and lanching the file manualy also triggered the rule)
tried to import policy providec by You "Contains both 2.0 and PawelEm's custom 2.0"
and the same thing happened (Threat Name: 2.0: PawelEm's Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement)
and the event
Threat Event Log Details
Previous Next
Threat Event Log Information
Server ID: MCAFEE-AH
Event Received Time: 4/18/19 10:16:21 AM
Event Generated Time: 4/18/19 10:14:56 AM
Agent GUID: 504EE76C-4672-11E9-1F93-509A4CC3212D
Detecting Prod ID (deprecated): ENDP_AM_1060
Detecting Product Name: McAfee Endpoint Security
Detecting Product Version: 10.6.1.1128
Detecting Product Host Name: testhost
Detecting Product IPv4 Address: 10.200.38.48
Detecting Product IP Address: 10.200.38.48
Detecting Product MAC Address: f83441bd78a6
DAT Version:
Engine Version:
Threat Source Host Name:
Threat Source IPv4 Address: 10.200.38.48
Threat Source IP Address: 10.200.38.48
Threat Source MAC Address:
Threat Source User Name: HEADQUARTER\someuser
Threat Source Process Name: WSCRIPT.EXE
Threat Source URL:
Threat Target Host Name: testhost
Threat Target IPv4 Address: 10.200.38.48
Threat Target IP Address: 10.200.38.48
Threat Target MAC Address:
Threat Target User Name: SYSTEM
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path: C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\
Event Category: 'File' class or access
Event ID: 1092
Threat Severity: Critical
Threat Name: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement
Threat Type: Access Protection
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Access Protection
Events received from managed systems
Event Description: Access Protection rule violation detected and blocked
Endpoint Security
Module Name: Threat Prevention
Analyzer Content Creation Date: 9/22/15 1:11:11 PM
Analyzer Content Version: 10.6.0
Analyzer Rule Name: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement
Source Process Hash: 7075dd7b9be8807fca93acd86f724884
Source Process Signed: Yes
Source Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS
Source File Path: C:\WINDOWS\SYSWOW64
Source File Size (Bytes): 147456
Source Modify Time: 4/12/18 3:34:59 AM
Source Access Time: 4/12/18 3:34:59 AM
Source Create Time: 4/12/18 3:34:59 AM
Target Signed: No
Target Path: C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\
Target Modify Time: 4/18/19 12:10:27 PM
Target Access Time: 4/18/19 12:10:27 PM
Target Create Time: 4/18/19 12:10:12 PM
First Action Status: Not available
Second Action Status: Not available
Description: HEADQUARTER\someuser ran WSCRIPT.EXE, which tried to access C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\, violating the rule "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement", and was blocked. For information on how to respond to this event, see KB85494.
Duration Before Detection (Days): >7 days
Attack Vector Type: Local System
Access Requested: Execute
You Deserve an Award
Community Help Hub
-
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
- Find Forum FAQs
- Learn How to Earn Badges
- Ask for Help
Join the Community
-
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:
- Get helpful solutions from McAfee experts.
- Stay connected to product conversations that matter to you.
- Participate in product groups led by McAfee employees.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA