cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FramePkg.exe

I have an ePO server 5.10. It is working as an ENS system, but the framepkg.exe file is blocked continually. I need to fix this and attempted to create a Dynamic Application Containment exclusion for the file FramePkg.exe, but it doesn't work, it is still blocked. Any suggestions?

Errors are as follows:

NT AUTHORITY\SYSTEM ran C:\ProgramData\McAfee\Agent\Current\EPOAGENT3000\Install\0409\FramePkg.exe, which tried to access the file C:\WINDOWS\TEMP\mfe3C912AAB-013D-44F2-8610-F3326289DF00.tmp\__temp.zip, violating the rule "Writing to files commonly targeted by ransomware-class malware", and was blocked. For information on how to respond to this event, see KB85494.

 
 

 

 

 

 

 

5 Replies
harshgautam
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: FramePkg.exe

@User68214094 

Kindly let us know, which component is detecting the FramePkg.exe.

If it is through ATP, While adding the exclusion. Type in **\FramePkg.exe(in File name or path (can include * or ? wildcards))

If the detection is through OAS.

Add the wildcard exclusion as mentioned above, in the applied OAS policy.

a) Select 

b) Add the FramePkg.exe in low Risk.

c) Select Do not scan when reading from or writing to disk, under low risk.

If the issue still exist, kindly Log a Service Request from Support Portal.

Thanks & regards,
Harsh Gautam
Technical Support Engineer | Customer Success Group

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: FramePkg.exe

lets move this post to the ENS group for proper visibility, im doing that now 

Re: FramePkg.exe

Thank you

Re: FramePkg.exe

I did what you recommended but it didn't work

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: FramePkg.exe

Hi @User68214094,

Thank you for updating us. DAC blocks are usually tricky to handle. So the fact that this is being stopped by DAC would mean that the process has hit the threshold to be sent for DAC.

Ideally, The above steps for adding Framepkg.exe as "Low risk" process should have taken care of the issue. if not, I would ask for the complete event to see where and why the executable got contained in the first place.

What we are looking at is a hit inside the containment. However, Frampkg.exe being a trusted executable should not be entering containment and declaring it a low risk process should be able to do that. Can you share us a copy of the policy you have configured?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community