cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 2

FALSE Positive ENS 10.7 APRIL, IPS Exploit T1145, Rule 6105, HP Elitedesk 800 G4 W10 W10 20H1

T1145 – Einschränkung des Windows Script-Befehls – Batch-Modus

W10, 20H1, ENG, PRO, 64BIT, ENS 10.7 APRIL

FALSE Positive ENS 10.7 APRIL, IPS Exploit T1145, Rule 6105

Hardware: HP Elitedesk 800 G4 W10

----------------------

We know that this is the Energy Module from HP under 20H1. Just wanted to report the false before you knock out some HP customers. If you want more info write an E-Mail to this partner. I am not going to open a ticket for you.

----------------------


Modulname:
Bedrohungsschutz

Analyseprogramm – Datum der Inhaltserstellung:04.05.21 09:58:28 MESZ

Analyseprogramm – Inhaltsversion:10.6.0.11403

Analyseprogramm – Regel-ID:6105

Analyseprogramm – Regelname:T1145 - Windows Script Command Restriction - Batch Mode

Quellenbeschreibung:
C:\WINDOWS\System32\Wscript.exe //B //NoLogo "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.vbs"

Ziel-Hash:0639b0a6f69b3265c1e42227d650b7d1

Ziel signiert:Ja

Signaturgeber des Ziels:
CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

Übergeordneter Zielprozess signiert:
Ja

Signaturgeber des übergeordneten Zielprozesses:
C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS PUBLISHER

Name des übergeordneten Zielprozesses:SVCHOST.EXE

Hash des übergeordneten Zielprozesses:f586835082f632dc8d9404d83bc16316

Zielname:WSCRIPT.EXE

Zielpfad:C:\WINDOWS\SYSTEM32

Zieldateigröße (Bytes):170496

API-Name:GetVersionExA

Beschreibung:Es wurde ein Exploit-Versuch durch ExP:Illegal API Use auf C:\WINDOWS\SYSTEM32\WSCRIPT.EXE erkannt, wodurch ein Angriff auf die API GetVersionExA durchgeführt wurde. Er wurde nicht blockiert, da der Exploit-Schutz auf Nur melden eingestellt war.

Angriffsvektortyp:Lokales System

 

1 Reply
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: FALSE Positive ENS 10.7 APRIL, IPS Exploit T1145, Rule 6105, HP Elitedesk 800 G4 W10 W10 20H1

Hi @bretzeli ,

I understand from your post that you're reporting a false positive.

Unfortunately we cannot process it without a Service Request.

Please reach out support with the following details.

1) Submit a sample

https://kc.mcafee.com/corporate/index?page=content&id=KB68030

2) Attach logs from Exploit Prevention

C:\ProgramData\McAfee\Endpoint Security\Logs

3) What is the use of the application?

4) Mention the Vendor as HP

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community