cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4

Exclusions for ENS/ePO Policies for Microsoft Management Products like SCCM

We got a false detection from Adaptive Threat Protection when one of our engineers ran a PIVOT Tool PowerShell Script from the CC\Scriptstore (or Microsoft Configuration Manager).

The quesiton is what is the best way to deal with this?

Should we present this to Support for a Suppression of those scripts from detection or should we create a special exclusion rule in ePO/ENS Policies?

Or should we exclude automated reporting for "Would Clean"

Here is a sample of the detecion Alert we recieve when hit.

 

McAfee Endpoint Security

Adaptive Threat Protection Would Clean

 

Real Protect-PSL!bf63b3ffbeee

True

C:\WINDOWS\CCM\ScriptStore\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c1b6b8aece88cf30fff1fd35bee1461e34f4799eff1406890e079bb2c7bfb9e5.ps1

 

Any help is appreciated.

 

 

Stewart
3 Replies
vivs
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Exclusions for ENS/ePO Policies for Microsoft Management Products like SCCM

Its better to get a case open with the Support team.

Thanks

Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Exclusions for ENS/ePO Policies for Microsoft Management Products like SCCM

Hi @User27605043 ,

Please open a support ticket with the following details.

  • Submit a sample as described in KB85567 - Submit potential false positives from the product or through GTI to Labs.
  • Is it an internal application or third-party software? If third-party software, who is the vendor and what's the application name and version?
  • Provide a detailed description of the file and how it's being used.
  • Provide the installer, source, or a download URL if available.
  • What's the "Threat Name" found in ePO or on the product console for this detection?
  • Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
  • How many systems is this false positive impacting? Try to be as accurate as possible.
  • How many of the systems are production servers, and what are their purposes?
  • Are there any other noteworthy considerations for the impacted systems?
  • Submit the relevant scan logs showing the detections.
    • ENS:
      %deflogdir%\AdaptiveThreatProtection_Activity.log

Reference KB - https://kc.mcafee.com/corporate/index?page=content&id=KB91459

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Exclusions for ENS/ePO Policies for Microsoft Management Products like SCCM

I get all that, but this is very frustrating. 

The specific issue is related to a known (WELL KNOWN) Microsoft Product.

In this case Microsoft SCCM, Configuration Manager Pivot tool (ConfigMgr CMPivot) for collection of client data. 

Personally, I would think that would already be known and allowed and not be flagged as a potential threat.

 

Also, I did as you suggested on an earlier case and submitted DELLs SupportAssistLauncher.exe to be excluded from detection. I was told this had been addressed, it should no longer be dected. And it still is being detected. (4-22882824541). So, going through those hoops seem a waste of time

Stewart
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community