cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exploit Prevention rule 413

Jump to solution

@chealey @AjaySundar 

I got an user with the below error. I wanted to know on what scenario the issue occurs.

 

NT AUTHORITY\SYSTEM ran C:\Windows\CCM\CcmExec.exe, which tried to access the file C:\Users\xxxxxxxxxx\Downloads\GUETIN_W1034P3RV2.xxxxxxxxxl.com.exe, violating the rule "Suspicious Double File Extension Execution", and was blocked. For information about how to respond to this event, see KB85494."
Venu
1 Solution

Accepted Solutions
AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Exploit Prevention rule 413

Jump to solution

Hi @vnaidu,

This event indicates that a file with two extensions (such as readme.txt. exe) was run. This poses a security risk, because such files are often viruses or Trojan horses.

For example, a file might be named "Readme.txt. exe," with the second extension not visible in Windows Explorer because of spaces separating the first and second extension. In this example, a user might think that such a document was a text file and double-click it, thus unintentionally launching the Trojan horse application.

To execute legal programs that contain multiple extensions (such as a known file named good_program-1.txt.exe), either rename the file to avoid multiple dots in the file name (for example, good_program-1_txt.exe), or create an exception for this security event so that your trusted file is exempt from triggering this signature.

I hope this helps.

Regards,

AJ

View solution in original post

4 Replies
AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Exploit Prevention rule 413

Jump to solution

@vnaidu,

Good day to you!

The target file here has double extensions .com and .exe hence the EP rule got triggered.

Regards,

AJ 

Re: Exploit Prevention rule 413

Jump to solution

@AjaySundar 

Can you help me with more precise information, as to how McAfee decides on what logic this triggers, I need a detailed explanation.

 

Thanks a ton in advance.

Venu
AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Exploit Prevention rule 413

Jump to solution

Hi @vnaidu,

This event indicates that a file with two extensions (such as readme.txt. exe) was run. This poses a security risk, because such files are often viruses or Trojan horses.

For example, a file might be named "Readme.txt. exe," with the second extension not visible in Windows Explorer because of spaces separating the first and second extension. In this example, a user might think that such a document was a text file and double-click it, thus unintentionally launching the Trojan horse application.

To execute legal programs that contain multiple extensions (such as a known file named good_program-1.txt.exe), either rename the file to avoid multiple dots in the file name (for example, good_program-1_txt.exe), or create an exception for this security event so that your trusted file is exempt from triggering this signature.

I hope this helps.

Regards,

AJ

View solution in original post

Re: Exploit Prevention rule 413

Jump to solution

@AjaySundar 

Thank you for the explanation, that is what I was expecting to be in my situation. 

Thanks again Ajay,

Venu
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community