cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ta11
Level 9
Report Inappropriate Content
Message 1 of 4

Exploit prevention rule exception question

This is regarding configuring ENS exploit prevention rules. In our company we are blocking Powershell -EncodedCommand exploit prevention rule (6087) detection. But couple of systems still need to run such powershell commands. My first thought was that we can sign the Powershell script with internal signer (CA) and do exception for such signed scripts by trusting signer. Checking closer the rule and exception possibilities, seems it is not possible with current ENS (10.6.1. Do you confirm? What other choices we have?
3 Replies
tzemva
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Exploit prevention rule exception question

Hi @ta11,

There is a known issue in currently available versions of ENS 10.6.1 where Exploit Prevention exclusions are not working properly with signer details. This issue will be addressed in upcoming ENS 10.6.1 December Update. I recommend you wait for mentioned release and test your EP Exclusion again. 

ta11
Level 9
Report Inappropriate Content
Message 3 of 4

Re: Exploit prevention rule exception question

Thank you.

The issue I'm describing is not related to the bug as I see, but with the capability of the product to fulfill specific use case. I can see exploit prevention policy exclusions section tool allows to create exceptions based on process name and signer and by caller module name and signer. In this rule case, process is powershell.exe and there is no caller module. So signing our internal scripts in order to trust those and exclude from exploit prevention rules triggers is not capability of current product. Or I miss something?   

kpham90
Level 8
Report Inappropriate Content
Message 4 of 4

Re: Exploit prevention rule exception question

We are experiencing the same issue. We have various parts of our environment from SCCM client, DevOps configuration scripts, etc. that utilized powershell with parameters such as -EncodedCommand, etc. The rules from McAfee are simply based on signatures, so if it sees the behavior, it will block ifyour rule is configured to Block. However, I found not good way to create exclusions based on the properties of the event details (i.e Threat Target User Name:) . Basically, the rules are not sophisticated enough to determine a "good" from a "bad" script, and provides no mechanism to tell it what is "good" (we wanted to exclude based on , so you are left with turning the rule into "Report" mode or disable it completely.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community