cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

How can I make exclusion to PDQInventory-Scanner?

Jump to solution

I have lots of events saying NT AUTHORITY\SYSTEM ran SYSTEM:REMOTE\SYSTEM:REMOTE, which accessed C:\Windows\AdminArsenal\PDQInventory-Scanner\service-1\\ , violating the rule "Remotely accessing local files or folders". Access was allowed because the rule wasn't configured to block. How can make a exclusion so that this event can be ignored? 

I have made a exclusion for this one this seems not working at this point. 

 

NT AUTHORITY\SYSTEM ran SYSTEM:REMOTE\SYSTEM:REMOTE, which accessed C:\Windows\AdminArsenal\PDQInventory-Scanner\service-1\\ , violating the rule "Remotely accessing local files or folders". Access was allowed because the rule wasn't configured to block.

Analyzer / Detector
Analyzer content creation date9/22/2015 6:11 AM
Analyzer content version10.6.0
Product nameMcAfee Endpoint Security
Analyzer rule nameRemotely accessing local files or folders
Product version10.6.1
Feature nameAccess Protection
 
Threat
Action takenWould Block
Threat category'File' class or access
Threat event ID1095
Threat handledYes
Threat nameRemotely accessing local files or folders
Threat severityCritical
Threat timestamp2/7/2020 12:35 PM
Threat typeAccess Protection
 
Source
Source file pathSYSTEM:REMOTE
Source IPV410.10.6.182
Source process nameSYSTEM:REMOTE
Source process signedNo
Source user nameNT AUTHORITY\SYSTEM
 
Target
Target host namecomputername
Target name 
Target pathC:\Windows\AdminArsenal\PDQInventory-Scanner\service-1\
Target signedNo
Target user nameSYSTEM
 
Other
Access requestedDelete
Vector typeFile Share

 

This table is taken out from ENS event window. 

 

McAfee Endpoint Security 

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: How can I make exclusion to PDQInventory-Scanner?

Jump to solution

Hello @ssedhai 

The rule you are using, "Remotely accessing local files or folders" is very aggressive rule and it is disabled by Default.

Purpose of the rule can be found in:

*** McAfee Endpoint Security 10.6.0 - Threat Prevention Product Guide - Windows
https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

section "McAfee-defined Access Protection rules" where you have:

McAfee-defined rule: Remotely accessing local files or folders
Description: Prevents read and write access from remote computers to the computer. In a typical environment, this rule is suitable for workstations, but not servers.
Default setting: empty (aka not set to block or report)
Benefits: Prevents a share-hopping worm from spreading.
Risks: Prevents updates or patches from being installed to systems managed by pushing files. This rule doesn't affect the management functions of McAfee ePO.

TIP: Best practice Enable this rule only when computers are actively under attack.

Now, majority of remote access scenarios will have "Source file path -> SYSTEM:REMOTE", because the software PDQInventory-Scanner is using it to access to machine and that is what OS sees, (not PDQInventory-Scanner) hence you can't exclude PDQInventory-Scanner from the rule.

Also there is lot of scenarios where with same situation 
where in product guide is mentioned update, you should also see SYSTEM:REMOTE if you try to access to c$, but also Malware may use it as well hence in order for you to make exclusion you have to exclude whole "SYSTEM:REMOTE" which would defeat the purpose of rule itself.

The conclusion and best suggestion is to actually follow the best practice for the rule given in product guide itself.

I hope, I explained myself properly.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

2 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: How can I make exclusion to PDQInventory-Scanner?

Jump to solution

Hello @ssedhai 

The rule you are using, "Remotely accessing local files or folders" is very aggressive rule and it is disabled by Default.

Purpose of the rule can be found in:

*** McAfee Endpoint Security 10.6.0 - Threat Prevention Product Guide - Windows
https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

section "McAfee-defined Access Protection rules" where you have:

McAfee-defined rule: Remotely accessing local files or folders
Description: Prevents read and write access from remote computers to the computer. In a typical environment, this rule is suitable for workstations, but not servers.
Default setting: empty (aka not set to block or report)
Benefits: Prevents a share-hopping worm from spreading.
Risks: Prevents updates or patches from being installed to systems managed by pushing files. This rule doesn't affect the management functions of McAfee ePO.

TIP: Best practice Enable this rule only when computers are actively under attack.

Now, majority of remote access scenarios will have "Source file path -> SYSTEM:REMOTE", because the software PDQInventory-Scanner is using it to access to machine and that is what OS sees, (not PDQInventory-Scanner) hence you can't exclude PDQInventory-Scanner from the rule.

Also there is lot of scenarios where with same situation 
where in product guide is mentioned update, you should also see SYSTEM:REMOTE if you try to access to c$, but also Malware may use it as well hence in order for you to make exclusion you have to exclude whole "SYSTEM:REMOTE" which would defeat the purpose of rule itself.

The conclusion and best suggestion is to actually follow the best practice for the rule given in product guide itself.

I hope, I explained myself properly.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Highlighted

Re: How can I make exclusion to PDQInventory-Scanner?

Jump to solution

@Kenchee_etf 

Thanks for the response. These events are not bothering but I just I wanted to reduce the number of events so that I can focus only on the important ones. 

I can keep as it is. 

Cheers!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community