cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Hidden Powershell Detected - SMB1

Jump to solution

I'm in the process of upgrading from VSE to Endpoint.

 

I'm getting flooded by Critical Event E-mails caused by Windows Scheduling a task to run a Powershell script to disable SMB1.

 

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE -EXECUTIONPOLICY UNRESTRICTED -NONINTERACTIVE -NOPROFILE -WINDOWSTYLE HIDDEN "& C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES\SMBSHARE\DISABLEUNUSEDSMB1.PS1 -SCENARIO CLIENT"

 

I'm sure this has been in occurring in the background previously, but VSE was not flagging it at all.

 

Best I understand it I cannot make an exception for a specific powershell script.  So how can I address this?

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Hidden Powershell Detected - SMB1

Jump to solution

I wouldn't use the provided rule.   Try this instead as an Expert Rule

Rule {

Process {

Include OBJECT_NAME { -v "powershell.exe" }

Include PROCESS_CMD_LINE { -v "*hidden*" }

Exclude PROCESS_CMD_LINE { -v "*DISABLEUNUSEDSMB1.PS1 -SCENARIO CLIENT*" }

}

Target {

Match SECTION { Include -access "CREATE" }

}

}

 

Load it locally to ensure it compiles properly as I typed it from my phone,  but that should give you powershell hidden without that false positive.   If you aren't blocking,  I would target a single DLL on the section match our you will get multiple events from each single execution.   Before the Include - access just do Include OBJECT_NAME { -v "whatever.dll" }

View solution in original post

3 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Hidden Powershell Detected - SMB1

Jump to solution

I wouldn't use the provided rule.   Try this instead as an Expert Rule

Rule {

Process {

Include OBJECT_NAME { -v "powershell.exe" }

Include PROCESS_CMD_LINE { -v "*hidden*" }

Exclude PROCESS_CMD_LINE { -v "*DISABLEUNUSEDSMB1.PS1 -SCENARIO CLIENT*" }

}

Target {

Match SECTION { Include -access "CREATE" }

}

}

 

Load it locally to ensure it compiles properly as I typed it from my phone,  but that should give you powershell hidden without that false positive.   If you aren't blocking,  I would target a single DLL on the section match our you will get multiple events from each single execution.   Before the Include - access just do Include OBJECT_NAME { -v "whatever.dll" }

View solution in original post

Highlighted

Re: Hidden Powershell Detected - SMB1

Jump to solution
Fantastic!

This is the exact guidance I needed.
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Hidden Powershell Detected - SMB1

Jump to solution

Hello,

We have seen the same error on W10 17** and 18** PRO/ENT where ENS was installed from the beginning. This may be caused by Microsoft Windows Updates from WSUS Server.

 

Anybody at McAfee intersted in fixing this? Is it fixed in ENS 10.6.1 JULY Re-post?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community