cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

Thank you for the answer.
Can You upload the files once again because i get 404 error while trying to download them

Also in the mean time i tried to change the exclusion in my  user user defined rule 
to be certain the original rule targeted this file "C:\USERS\Isomeuser\APPDATA\LOCAL\TEMP\$LDTMP$\CLIENTSIDEENABLEWOL.VBS"

so in the Subrules exclusion i tried couple of variations 
**\TEMP\$LDTMP$\CLIENTSIDEENABLEWOL.VBS
**\$LDTMP$\CLIENTSIDEENABLEWOL.VBS
**\TEMP\$LDTMP$\*.VBS
**\$LDTMP$\*.VBS

Unfortunetly it triggerd every time

 

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 12 of 14

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

@PawelEm Try this; I put them in a .zip

It is possible that you're not putting the exclusion in the proper subrule section (can't be sure since I can't see your whole policy) or that the $ is tripping things up. I would recommend trying the \*LDTMP*\ or \?LDTMP?\ to see if it helps?

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

My rule looks almost the same as Yours (screenshots of the rule below)
tried to replace $ witch * or ? but it didnt help
$ in the folder name isn't the problem (copied the vbs file to a folder named APPDATA\LOCAL\TEMP\0LDTMP0\ and lanching the file manualy also triggered the rule)

tried to import policy providec by You "Contains both 2.0 and PawelEm's custom 2.0"
and the same thing happened (Threat Name: 2.0: PawelEm's Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement)

rule_1.pngrule_2.png

and the event 

Threat Event Log Details
Previous Next
Threat Event Log Information
Server ID: MCAFEE-AH
Event Received Time: 4/18/19 10:16:21 AM
Event Generated Time: 4/18/19 10:14:56 AM
Agent GUID: 504EE76C-4672-11E9-1F93-509A4CC3212D
Detecting Prod ID (deprecated): ENDP_AM_1060
Detecting Product Name: McAfee Endpoint Security
Detecting Product Version: 10.6.1.1128
Detecting Product Host Name: testhost
Detecting Product IPv4 Address: 10.200.38.48
Detecting Product IP Address: 10.200.38.48
Detecting Product MAC Address: f83441bd78a6
DAT Version:
Engine Version:
Threat Source Host Name:
Threat Source IPv4 Address: 10.200.38.48
Threat Source IP Address: 10.200.38.48
Threat Source MAC Address:
Threat Source User Name: HEADQUARTER\someuser
Threat Source Process Name: WSCRIPT.EXE
Threat Source URL:
Threat Target Host Name: testhost
Threat Target IPv4 Address: 10.200.38.48
Threat Target IP Address: 10.200.38.48
Threat Target MAC Address:
Threat Target User Name: SYSTEM
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path: C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\
Event Category: 'File' class or access
Event ID: 1092
Threat Severity: Critical
Threat Name: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement
Threat Type: Access Protection
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Access Protection
Events received from managed systems
Event Description: Access Protection rule violation detected and blocked
Endpoint Security
Module Name: Threat Prevention
Analyzer Content Creation Date: 9/22/15 1:11:11 PM
Analyzer Content Version: 10.6.0
Analyzer Rule Name: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement
Source Process Hash: 7075dd7b9be8807fca93acd86f724884
Source Process Signed: Yes
Source Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS
Source File Path: C:\WINDOWS\SYSWOW64
Source File Size (Bytes): 147456
Source Modify Time: 4/12/18 3:34:59 AM
Source Access Time: 4/12/18 3:34:59 AM
Source Create Time: 4/12/18 3:34:59 AM
Target Signed: No
Target Path: C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\
Target Modify Time: 4/18/19 12:10:27 PM
Target Access Time: 4/18/19 12:10:27 PM
Target Create Time: 4/18/19 12:10:12 PM
First Action Status: Not available
Second Action Status: Not available
Description: HEADQUARTER\someuser ran WSCRIPT.EXE, which tried to access C:\USERS\someuser\APPDATA\LOCAL\TEMP\$LDTMP$\, violating the rule "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement", and was blocked. For information on how to respond to this event, see KB85494.
Duration Before Detection (Days): >7 days
Attack Vector Type: Local System
Access Requested: Execute

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

Maybe someone has some other suggestions?
or just open a service request 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community