I have an ePO server 5.10. It is working as an ENS system, but the framepkg.exe file is blocked continually. I need to fix this and attempted to create a Dynamic Application Containment exclusion for the file FramePkg.exe, but it doesn't work, it is still blocked. Any suggestions?
Errors are as follows:
NT AUTHORITY\SYSTEM ran C:\ProgramData\McAfee\Agent\Current\EPOAGENT3000\Install\0409\FramePkg.exe, which tried to access the file C:\WINDOWS\TEMP\mfe3C912AAB-013D-44F2-8610-F3326289DF00.tmp\__temp.zip, violating the rule "Writing to files commonly targeted by ransomware-class malware", and was blocked. For information on how to respond to this event, see KB85494.
Kindly let us know, which component is detecting the FramePkg.exe.
If it is through ATP, While adding the exclusion. Type in **\FramePkg.exe(in File name or path (can include * or ? wildcards))
If the detection is through OAS.
Add the wildcard exclusion as mentioned above, in the applied OAS policy.
b) Add the FramePkg.exe in low Risk.
c) Select Do not scan when reading from or writing to disk, under low risk.
If the issue still exist, kindly Log a Service Request from Support Portal.
Thanks & regards,
Technical Support Engineer | Customer Success Group
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Thank you for updating us. DAC blocks are usually tricky to handle. So the fact that this is being stopped by DAC would mean that the process has hit the threshold to be sent for DAC.
Ideally, The above steps for adding Framepkg.exe as "Low risk" process should have taken care of the issue. if not, I would ask for the complete event to see where and why the executable got contained in the first place.
What we are looking at is a hit inside the containment. However, Frampkg.exe being a trusted executable should not be entering containment and declaring it a low risk process should be able to do that. Can you share us a copy of the policy you have configured?