cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Szymon
Level 7
Report Inappropriate Content
Message 1 of 2

Expert rules - false-positive detections

Hello, We are trying to implement expert rules provided in this article: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-mal... After implementing on pilot group we foound that there are many false-positive detections. Rule which case this detections are: (1)"[MITRE Technique Process Injection T1055]" & (2)"Expert Rule which blocks JavaScript Execution within Adobe Reader". We have also rule we called (3)"Prevent DLL injection using allocate virtual memory" which created hundred events. All we set to log only for now. "[MITRE Technique Process Injection T1055]" & "Expert Rule which blocks JavaScript Execution within Adobe Reader" are posted in the article so rule content can be checked there. For "Prevent DLL injection using allocate virtual memory" rule content is following: Rule { Process { Include VTP_TRUST false } Target { Match PROCESS { Include OBJECT_NAME { -v "**" } Exclude OBJECT_NAME { -v "*\\Google\\Chrome\\Application\\chrome.exe" } Include -nt_access "!0x20" } } } After implementing we get following events: NT AUTHORITY\SYSTEM ran C:\Program Files\Common Files\McAfee\SystemCore\mfehcs.exe, which accessed the process WinStore.App.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block. NT AUTHORITY\SYSTEM ran C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe, which accessed the process cscript.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block. And many other processes like: AcroRd32.exe (rule 2), webexmt.exe (rule 3), CcmExec.exe (rule 1), and thousands of events with chrome.exe(rule 3), and so on. We already know that Excusion is wrongly created in article, we able to exclude processes in proper way, however question is why this detections happen?
1 Reply
Szymon
Level 7
Report Inappropriate Content
Message 2 of 2

Re: Expert rules - false-positive detections

Hello as previous message VIEW is not too good, please see it again sorted:

 

Hello,
We are trying to implement expert rules provided in this article: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-mal...
After implementing on pilot group we foound that there are many false-positive detections. Rule which case this detections are: (1)"[MITRE Technique Process Injection T1055]" & (2)"Expert Rule which blocks JavaScript Execution within Adobe Reader". We have also rule we called (3)"Prevent DLL injection using allocate virtual memory" which created hundred events. All we set to log only for now.
"[MITRE Technique Process Injection T1055]" & "Expert Rule which blocks JavaScript Execution within Adobe Reader" are posted in the article so rule content can be checked there.
For "Prevent DLL injection using allocate virtual memory" rule content is following:

Rule {
Process {
Include VTP_TRUST false
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "**" }
Exclude OBJECT_NAME { -v "*\\Google\\Chrome\\Application\\chrome.exe" }
Include -nt_access "!0x20"
}
}
}

After implementing we get following events:


NT AUTHORITY\SYSTEM ran C:\Program Files\Common Files\McAfee\SystemCore\mfehcs.exe, which accessed the process FrmInst.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Program Files\Common Files\McAfee\SystemCore\mfehcs.exe, which accessed the process msiexec.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Program Files\Common Files\McAfee\SystemCore\mfehcs.exe, which accessed the process SynaMonApp.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Program Files\Common Files\McAfee\SystemCore\mfehcs.exe, which accessed the process WinStore.App.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe, which accessed the process cscript.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe, which accessed the process java.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe, which accessed the process spoolsv.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe, which accessed the process svchost.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe, which accessed the process winlogon.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Windows\CCM\CcmExec.exe, which accessed the process cmd.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
NT AUTHORITY\SYSTEM ran C:\Windows\CCM\CcmExec.exe, which accessed the process powershell.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Program Files (x86)\Adobe\Acrobat 2017\Acrobat\AcroCEF\AcroCEF.exe, which accessed the process AcroCEF.exe, violating the rule "Prevent DLL injection using allocate virtual memory". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Program Files (x86)\Adobe\Acrobat 2017\Acrobat\AcroCEF\AcroCEF.exe, which accessed the process AcroCEF.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Program Files (x86)\Adobe\Acrobat 2017\Acrobat\AcroRd32.exe, which accessed the process EScript.api, violating the rule "Prevent JavaScript execution within Adobe Reader". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE, which accessed the file C:\Users\User\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DPTD2LDN\something.ics, violating the rule "Microsoft Outlook VEVENT Vulnerability". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Program Files (x86)\Webex\Webex\Meetings\atmgr.exe, which accessed the process webexAppLauncher.exe, violating the rule "Prevent DLL injection using allocate virtual memory". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Program Files (x86)\Webex\Webex\Meetings\webexmta.exe, which accessed the process atmgr.exe, violating the rule "Prevent DLL injection using allocate virtual memory". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Program Files\7-Zip\7zFM.exe, which accessed the process EXCEL.EXE, violating the rule "Prevent DLL injection using allocate virtual memory". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Program Files\Mozilla Firefox\firefox.exe, which accessed the process firefox.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Windows\System32\svchost.exe, which accessed the process explorer.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Windows\System32\svchost.exe, which accessed the process ssvagent.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.
YY\User ran C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe, which accessed the process MicrosoftEdgeCP.exe, violating the rule "Prevent remote process injection (MITRE Technique Process Injection T1055)". Access was allowed because the rule wasn't configured to block.

And thousends events:
YY\User ran C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, which accessed the process chrome.exe, violating the rule "Prevent DLL injection using allocate virtual memory". Access was allowed because the rule wasn't configured to block.


We already know that Excusion is wrongly created in article, we able to exclude processes in proper way, however question is why thys detections happen? Even McAfee processes like mfehcs.exe and mfetp.exe are detected - this should not happen. Many 'safe' processes may be also detected and blocked (when we set it to block). Can someone explain me what we are doing wrong?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community