cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 5

Exploit Prevention Powershell Exception by source Description?

We are running ENS 10.7.0.x and cannot create an exclusion based on source description (previously known as "files" in HIP IPS).

We have multiple powershell scripts that run, and we've created granular exclusions in IPS. Now with ENS EP, those granular exclusions do not work. We either exclude all powershell scripts triggering that signature or block all.

What am I missing?

Does anyone have a work-around to allow specific scripts to be run based on:
username
Script location
Script name

Please tell me there is a simple step I've missed. I can't imagine McAfee making an oops this big.

4 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Exploit Prevention Powershell Exception by source Description?

HI @Former Member,

This is actually an excellent question. While we still can exclude specific "files" or "signatures" from certain Exploit prevention signatures, for powershell, I am afraid what you said is correct.

There is no granularity in the powershell signatures that work based on simple rules like  Signature ID 6070 that detects usage of "hidden" parameter. In these cases, we can wither exclude PowerShell completely, of course we don't recommend that, or we can remove the use of "hidden" parameter from the script.

Unfortunately we will not be able to exclude the specific file at the moment using these signatures.

I certainly understand this inconvenience, while this is the current working of the product, there is always room for ideas and enhancements into our product.

Please register this idea using the KBA below:

https://kc.mcafee.com/corporate/index?page=content&id=KB60021

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 5

Re: Exploit Prevention Powershell Exception by source Description?

Great idea, but I don't have access to a grant number in order to access that feature.

I'm experimenting with custom signatures with the exclusion written into the detection itself. Not sure if it'll work, but at this point, I have nothing to lose.

This sounds like a really poor marketing decision by McAfee. ENS is faster than HIP because it doesn't allow deeper inspection.
Why would you remove the ability to detect subversive powershell activity? Holy poor engineering, Batman.

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 5

Re: Exploit Prevention Powershell Exception by source Description?

I wrote a couple custom signatures to replace 6135 & 6151. I think I did it right but would appreciate feedback to confirm, or show me where I went wrong. Efficiency tweaks are also appreciated.

This one replaces 6151 and includes the exclusions I wanted to make:

Rule {
     Process {
          Include OBJECT_NAME {
               -v "**"
          }
          Exclude OBJECT_NAME {
               -v "F:\\Microsoft SQL Server (x86)\\130\\Tools\\Binn\\SQLPS.exe"
               -v "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
               -v "c:\\Program Files\\McAfee\\Endpoint Security\\Endpoint Security Platform\\mfeesp.exe"
          }
     }
     Target {
          Match FILE {
               Include OBJECT_NAME {
                    -v "C:\\Windows\\Assembly\\NativeImages_v*\\System.manaa*\\*\\System.Management.Automation.ni.dll"
                    -v "C:\\Windows\\Assembly\\NativeImages_v*\\System.manaa*\\*\\System.Management.Automation.dll"
          }
     }
}

Andy
Level 7
Report Inappropriate Content
Message 5 of 5

Re: Exploit Prevention Powershell Exception by source Description?

FIFY:
Below is a custom rule to exclude SQLPS agentjobs.
Rule {
Initiator {
Match PROCESS {
Include OBJECT_NAME {-v "SQLPS.exe"}
Exclude PROCESS_CMD_LINE {-v "*F:\\Microsoft SQL Server (x86)\\130\\Tools\\Binn\\SQLPS.exe* agentjob"}
}
}
Target {
Match FILE {
Include OBJECT_NAME {-v "System.Management.Automation.ni.dll"}
Include OBJECT_NAME {-v "System.Management.Automation.dll"}
Include -access "EXECUTE"
Include -access "READ"
}
}
}
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community