cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cheetah
Level 10
Report Inappropriate Content
Message 1 of 13

Exploit Prevention WebMer - ESConfig

Jump to solution

Hello together,

 

a Customer get this Event if he execute the McAfee WebMer Tool, shown in my Picture.

so i checked the case in my test lab.
actually I get the same message here.

Shouldn't McAfee create an exception here for itself so that this "error" doesn't occur?

 

331122

 

 

1 Solution

Accepted Solutions
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

Hi @cheetah,

My sincere apologies for the delay. It did take me some time to reprod the issue in lab as I had an older version installed and this AP rule was introduced recently.

The problem as I stated earlier is the fact that MER.exe does not make a direct "call" to ES config tool here. Rather, MER executed cmd to make a call to esconfig tool.

Keeping that fact aside, This rule was introduced to block the usage of ES config unless you wish to allow it by disabling the rule  whether being run manually or run by the admin or by MER application itself.

Is ES config tool run by MER tool?

Yes, it is run by MER tool and it is an expected behavior. This helps us export configuration and policies from the machine for our analysis. You can be reassured from our end that this is executed every time MER log collection is initiated.

Also, you definitely have a valid point on exclusion of McAfee's own software when hit by this rule. this can be a valid PER as of now, but as mentioned, this rule was brought in to cover up a vulnerability towards the usage of tool and hence had to be completely restricted from usage. Since the tool is executed via cmd.exe by MER, AP rule does not support the parent calling process exclusion which is why we do not have any means of adding a exclusion to MER currently.

I sincerely hope this clarifies your query on the issue.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

12 Replies
Dayananda
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

Hello,

 

Sorry for the delay in response.

 

To isolate the issue could you apply Mcafee default policy to Exploit prevention and then check whether you get the alerts or not.

 

And can you let us know what action are you performing to get this alert, I'll try to reproduce on my test machine?[let us know steps to reproduce the issue]

 

Once this is done then we can review at your EP policy.

 

I hope this helps. Let me know if you have any queries.

 

 

Regards,
Daya
cheetah
Level 10
Report Inappropriate Content
Message 3 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

Good morning from Germany.

 

No Problem.

 

i have assigned the standard policy and the result is unfortunately the same.
I hope you can understand from the screenshot.

What I do to get the message or the error:

Downloaded MER from McAfee Portal.
I then executed this and the error came in the Endpoint Security Console => Event Log when executing MER.exe.

 

EDIT: i think this happend in case of access protection rule "Unauthorized execution of EsConfigTool"

But, However, I then ask myself why the McAfee webmer (MER.exe) triggers this error or this message.

 

exploit Prevention_standard2.pngexploit Prevention_standard.png

cheetah
Level 10
Report Inappropriate Content
Message 4 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

@Dayananda any news?

Could you re-test the case in your test lab? Do you have a solution to prevent a webmer from triggering this message?

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

Hi @cheetah,

Thank you for your post. As observed from the provided screenshots, which are very clear and concise, I can confirm that this is because of the Access protection rule enabled in Endpoint Security Access protection policy.

This can be disabled as needed or and is described in the below link for your kind perusal:

https://docs.mcafee.com/bundle/endpoint-security-10.6.0-installation-guide-unmanaged-windows/page/GU...

Please bear in mind that MER is not directly calling ESConfig tool here, but it is CMD.exe that is executing ESConfig.exe here owing to which this prevention event comes up.

I sincerely hope this helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
cheetah
Level 10
Report Inappropriate Content
Message 6 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

@AdithyanT 

 

I think you got it wrong.
I did NOT start the ESConfig myself.
I only started WebMER (MER.exe) - this in turn apparently accessed esconfig! - and then comes the event.
Does McAfee want the WebMER (MER.exe) to access the ESConfigTool? - or cmd.exe

 

EDIT
OR: why does the WebMer process start access to the ESConfigTool via the cmd?
i mean, a process that starts another mcafee process from McAfee should not report itself.
at least this doesn't make sense to me.

EDIT 2:

I am simply of the opinion that executing a McAfee MER.exe should not give such an> Unauthorized execution of EsConfigTool <message, because the process itself was started by a McAfee program itself.
McAfee reports / blocks itself here.

cheetah
Level 10
Report Inappropriate Content
Message 7 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

@AdithyanT @Dayananda 

Can you please confirm to me that this behavior is intended by McAfee or WebMer (MER.EXE) ?!
So I could then pass this on to our customers and they don't have to worry about it.

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

Hi @cheetah,

My sincere apologies for the delay. It did take me some time to reprod the issue in lab as I had an older version installed and this AP rule was introduced recently.

The problem as I stated earlier is the fact that MER.exe does not make a direct "call" to ES config tool here. Rather, MER executed cmd to make a call to esconfig tool.

Keeping that fact aside, This rule was introduced to block the usage of ES config unless you wish to allow it by disabling the rule  whether being run manually or run by the admin or by MER application itself.

Is ES config tool run by MER tool?

Yes, it is run by MER tool and it is an expected behavior. This helps us export configuration and policies from the machine for our analysis. You can be reassured from our end that this is executed every time MER log collection is initiated.

Also, you definitely have a valid point on exclusion of McAfee's own software when hit by this rule. this can be a valid PER as of now, but as mentioned, this rule was brought in to cover up a vulnerability towards the usage of tool and hence had to be completely restricted from usage. Since the tool is executed via cmd.exe by MER, AP rule does not support the parent calling process exclusion which is why we do not have any means of adding a exclusion to MER currently.

I sincerely hope this clarifies your query on the issue.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

cheetah
Level 10
Report Inappropriate Content
Message 9 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

@AdithyanT Great, thank a lot for youre answer!

cheetah
Level 10
Report Inappropriate Content
Message 10 of 13

Re: Exploit Prevention WebMer - ESConfig

Jump to solution

@AdithyanT Sorry, but just one last question:

 

But the data collected by MER.exe are NOT incorrect either - due to the actual block of the AP rule?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community