cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
giangi
Level 9
Report Inappropriate Content
Message 1 of 11

How to create Access protection Exclusion with Signer

Hi everybody,

we are trying to add Access Protection Exclusions using "Signer" without success

We use ePO 5.10 and ENS v10.6.1

In the Exclusions I have added the Signer Certificate from the Thread Event Log but the " Browsers launching files from the Downloaded Program Files folder" rule is still logged and reported.

Example from the Thread Event Log, I have copied the Target Signer code and pasted into my policy on ePO

 

Threat Prevention
9/22/15 1:11:11 PM CEST
10.6.0
Internet Explorer launching files from the Downloaded Program Files folder
2d72cf80740f6c19a837346b1c8f181d
Yes
C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=GOOGLE INC, CN=GOOGLE INC
C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION
1589080
11/16/18 7:43:04 AM CET
11/28/18 11:15:52 AM CET
7/4/16 1:06:23 PM CEST
de54db1266e24049a58a54fa1bf1cf6d
Yes
C=DE, S=BADEN-WUERTTEMBERG, L=GOEPPINGEN, O=TEAMVIEWER GMBH, CN=TEAMVIEWER GMBH
SUPPORTOLNK.EXE
C:\USERS\CALZOLARI\DOWNLOADS
12025904
12/10/18 7:18:31 PM CET
12/10/18 7:18:30 PM CET
12/10/18 7:18:34 PM CET
Not available
Not available
LINKING.IT\Calzolari ran CHROME.EXE, which accessed C:\USERS\CALZOLARI\DOWNLOADS\SUPPORTOLNK.EXE, violating the rule "Internet Explorer launching files from the Downloaded Program Files folder". Access was allowed because the rule wasn't configured to block.

 

Looking into ENS configuration on my pc the Exception is there!
2018-12-10_18-52-18_McAfee Endpoint Security.png

 

But into the Debug log the process is "ignored" and the "Signer trusted" is always false!

12/10/2018 06:35:13.274 PM mfeesp(7240.9464) <SYSTEM> ApBl.AP.Debug: === AP received aac reaction event, Send[true] ===
PP Name : IDS_BLADE_NAME_SPB
Policy GUID : {79B2908E-E5EC-7116-28D4-C5B13FDAA57E}
Rule GUID : {D1347B9A-B157-A732-2614-56B717E46CED}
PP GUID[0] : {EA334ECD-7513-486B-A265-0C698FACBB06}
Reaction : AAC_REACTION_ALLOW [0] IDS_ACTION_WOULD_BLOCK:IDS_BLADE_NAME_GEN
Rule Description: AM::AP||IDS_AP_RULE_PREVENT_LAUNCHING_PROGRAMFILES
Group Description:
EventID : 1095
Object Type : AAC_OBJECT_FILE
Object Name : C:\USERS\CALZOLARI\DOWNLOADS\SUPPORTOLNK.EXE
Process Name : C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE
Process Dll Path :
Process Id : 0x0000000000003fc8
Thread Id : 0x00000000000002b8
Target Process Id: 0x0000000000000000
Timestamp : 0x01d490b71690ae44, 2018-12-10T17:35:13
Authentication Id: 0x0000000000000000
Create Dispsntn : 0x00000008
NT Access Mask : 0x001200a9
Access Mask : 0x00000014 IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_EXECUTE:IDS_BLADE_NAME_GEN
Dos Key Name : HKEY: <null> Value Name:<null>
Reg Val Data : Type 0 Len[0]
USER_NAME :I: LINKING.IT\Calzolari
THREAT_CATEGORY :T: IDS_IPS_THREAT_CATEGORY_FILE:IDS_BLADE_NAME_GEN
CREATED_TIME :I: 2016-07-4 11:06:23
MODIFIED_TIME :I: 2018-11-16 06:43:04
ACCESSED_TIME :I: 2018-11-28 10:15:52
FILE_SIZE :I: 1589080
VTP_TRUST :I: [1] INT8: 0
CERT_NAME :I: [130] STRING: C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=GOOGLE INC, CN=GOOGLE INC
MD5_A :I: [16] HASH: 2d72cf80740f6c19a837346b1c8f181d
PROCESS_SIGNED :I: true
SIGNER_TRUSTED :I: false
PROCESS_ID :I: [8] INT64: 16328
FILE_NAME :I: CHROME.EXE
FILE_PATH :I: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION
X_REMOTE_MACHINE_ADDRESS :I: <null>
ANALYZER_ID :T: ENDP_AM_1060
ANALYZER_NAME :T: McAfee Endpoint Security
ANALYZER_VERSION :T: 10.6.1.1169
CONTENT_VERSION :T: 10.6.0
CONTENT_CREATED :T: 2015-09-22T11:11:11Z
RULE_DESCRIPTION :T: IDS_AP_RULE_PREVENT_LAUNCHING_PROGRAMFILES
ACTION_TAKEN :T: IDS_ACTION_WOULD_BLOCK:IDS_BLADE_NAME_GEN
THREAT_TYPE :T: IDS_THREAT_TYPE_VALUE_AP:IDS_BLADE_NAME_GEN
DETECTED_TIME_UTC :T: 2018-12-10T17:35:13
THREAT_HANDLED :T: true
BLADE_NAME :T: IDS_BLADE_NAME_SPB
ATTACK_VECTOR_TYPE :I: Local System
TECH_NAME :T: IDS_THREAT_TYPE_VALUE_AP:IDS_BLADE_NAME_GEN
DURATION_BEFORE_DETECTION:I: 2116329
ACCESS_MASK_TXT :T: IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_EXECUTE:IDS_BLADE_NAME_GEN
CREATED_TIME :T: 2018-12-10 18:18:34
MODIFIED_TIME :T: 2018-12-10 18:18:31
ACCESSED_TIME :T: 2018-12-10 18:18:30
FILE_SIZE :T: 12025904
VTP_TRUST :T: [1] INT8: 0
FILE_PROPERTIES :T: [8] BITMASK: 0x0000000000000000
CERT_NAME :T: [160] STRING: C=DE, S=BADEN-WUERTTEMBERG, L=GOEPPINGEN, O=TEAMVIEWER GMBH, CN=TEAMVIEWER GMBH
MD5_A :T: [16] HASH: de54db1266e24049a58a54fa1bf1cf6d
PROCESS_SIGNED :T: true
SIGNER_TRUSTED :T: false
FILE_NAME :T: SUPPORTOLNK.EXE
FILE_NAME :T: SUPPORTOLNK.EXE
FILE_PATH :T: C:\USERS\CALZOLARI\DOWNLOADS
USER_NAME :T: SYSTEM
TARGET_HOST_NAME :T: GCALZOW10
DRIVE_TYPE :T: IDS_EXP_DT_FIXED:IDS_BLADE_NAME_GEN

What am I doing wrong?

Thank you

 

10 Replies
tzemva
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: How to create Access protection Exclusion with Signer

Hi @giangi,

Can you try and reverse the signer information in your exclusion configuration:
CN=TEAMVIEWER GMBH, O=TEAMVIEWER GMBH, L=GOEPPINGEN, S=BADEN-WUERTTEMBERG, C=DE

I saw a similar issue with Exploit Prevention and until "reading signer information" is investigated and addressed reversing was a working workaround.

giangi
Level 9
Report Inappropriate Content
Message 3 of 11

Re: How to create Access protection Exclusion with Signer


@tzemva wrote:

Can you try and reverse the signer information in your exclusion configuration:
CN=TEAMVIEWER GMBH, O=TEAMVIEWER GMBH, L=GOEPPINGEN, S=BADEN-WUERTTEMBERG, C=DE


Unfortunately isn't working...

chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: How to create Access protection Exclusion with Signer

I think potentially the problem is, you are excluding the wrong CERT.

What is being blocked? Chrome.exe

The CERT for Chrome - according to your screenshot is: C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=GOOGLE INC, CN=GOOGLE INC

Try adding this as an exclusion.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
giangi
Level 9
Report Inappropriate Content
Message 5 of 11

Re: How to create Access protection Exclusion with Signer

I cannot exclude the browser! And, btw, it's doing the same using Internet Explorer.

The policy is "Browsers launching files from the Downloaded Program Files folder", so the exception must be done for the "launched file"! Otherwise this policy is completely useless!!!

 12/11/2018 10:18:23.319 AM mfeesp(7240.16392) <SYSTEM> ApBl.AP.Debug: === AP received aac reaction event, Send[true] ===
PP Name : IDS_BLADE_NAME_SPB
Policy GUID : {79B2908E-E5EC-7116-28D4-C5B13FDAA57E}
Rule GUID : {D1347B9A-B157-A732-2614-56B717E46CED}
PP GUID[0] : {EA334ECD-7513-486B-A265-0C698FACBB06}
Reaction : AAC_REACTION_ALLOW [0] IDS_ACTION_WOULD_BLOCK:IDS_BLADE_NAME_GEN
Rule Description: AM::AP||IDS_AP_RULE_PREVENT_LAUNCHING_PROGRAMFILES
Group Description:
EventID : 1095
Object Type : AAC_OBJECT_FILE
Object Name : C:\USERS\CALZOLARI\DOWNLOADS\SUPPORTOLNK (1).EXE
Process Name : C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
Process Dll Path :
Process Id : 0x0000000000000948
Thread Id : 0x0000000000001da0
Target Process Id: 0x0000000000000000
Timestamp : 0x01d4913ad8d1e661, 2018-12-11T09:18:23
Authentication Id: 0x0000000000000000
Create Dispsntn : 0x00000008
NT Access Mask : 0x001000a1
Access Mask : 0x00000014 IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_EXECUTE:IDS_BLADE_NAME_GEN
Dos Key Name : HKEY: <null> Value Name:<null>
Reg Val Data : Type 0 Len[0]
USER_NAME :I: LINKING.IT\Calzolari
THREAT_CATEGORY :T: IDS_IPS_THREAT_CATEGORY_FILE:IDS_BLADE_NAME_GEN
CREATED_TIME :I: 2018-04-12 18:24:26
MODIFIED_TIME :I: 2018-04-11 09:08:00
ACCESSED_TIME :I: 2018-04-12 18:24:26
FILE_SIZE :I: 823560
VTP_TRUST :I: [1] INT8: 1
CERT_NAME :I: [180] STRING: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION
MD5_A :I: [16] HASH: 6465cb92b25a7bc1df8e01d8ac5e7596
PROCESS_SIGNED :I: true
SIGNER_TRUSTED :I: true
PROCESS_ID :I: [8] INT64: 2376
FILE_NAME :I: IEXPLORE.EXE
FILE_PATH :I: C:\PROGRAM FILES\INTERNET EXPLORER
X_REMOTE_MACHINE_ADDRESS :I: <null>
ANALYZER_ID :T: ENDP_AM_1060
ANALYZER_NAME :T: McAfee Endpoint Security
ANALYZER_VERSION :T: 10.6.1.1169
CONTENT_VERSION :T: 10.6.0
CONTENT_CREATED :T: 2015-09-22T11:11:11Z
RULE_DESCRIPTION :T: IDS_AP_RULE_PREVENT_LAUNCHING_PROGRAMFILES
ACTION_TAKEN :T: IDS_ACTION_WOULD_BLOCK:IDS_BLADE_NAME_GEN
THREAT_TYPE :T: IDS_THREAT_TYPE_VALUE_AP:IDS_BLADE_NAME_GEN
DETECTED_TIME_UTC :T: 2018-12-11T09:18:23
THREAT_HANDLED :T: true
BLADE_NAME :T: IDS_BLADE_NAME_SPB
ATTACK_VECTOR_TYPE :I: Local System
TECH_NAME :T: IDS_THREAT_TYPE_VALUE_AP:IDS_BLADE_NAME_GEN
DURATION_BEFORE_DETECTION:I: 20969637
ACCESS_MASK_TXT :T: IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_EXECUTE:IDS_BLADE_NAME_GEN
CREATED_TIME :T: 2018-12-11 10:18:09
MODIFIED_TIME :T: 2018-12-11 10:18:06
ACCESSED_TIME :T: 2018-12-11 10:18:09
FILE_SIZE :T: 12025904
VTP_TRUST :T: [1] INT8: 0
FILE_PROPERTIES :T: [8] BITMASK: 0x0000000000000000
CERT_NAME :T: [160] STRING: C=DE, S=BADEN-WUERTTEMBERG, L=GOEPPINGEN, O=TEAMVIEWER GMBH, CN=TEAMVIEWER GMBH
MD5_A :T: [16] HASH: de54db1266e24049a58a54fa1bf1cf6d
PROCESS_SIGNED :T: true
SIGNER_TRUSTED :T: false
FILE_NAME :T: SUPPORTOLNK (1).EXE
FILE_NAME :T: SUPPORTOLNK (1).EXE
FILE_PATH :T: C:\USERS\CALZOLARI\DOWNLOADS
USER_NAME :T: SYSTEM
TARGET_HOST_NAME :T: GCALZOW10
DRIVE_TYPE :T: IDS_EXP_DT_FIXED:IDS_BLADE_NAME_GEN

chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: How to create Access protection Exclusion with Signer

Exclusions can only be made for the Source. Not for the target.

I can only suggest you raise a PER for this, we do continously work on improving the way exclusions can be made but customer suggestions are always appreciated: https://community.mcafee.com/t5/Business-Ideas/idb-p/business-ideas

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
tzemva
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 11

Re: How to create Access protection Exclusion with Signer

Hi @giangi,

You could create an Exploit Prevention expert rule to replace stock AP rule and create an exception on target:

Here is the basic structure of AAC-based rules:

ExpertRules.jpg


More about Expert Rules:
Endpoint Security 10.6.x Threat Prevention Product Guide (ePO managed)
Product Documentation ID: PD27574

giangi
Level 9
Report Inappropriate Content
Message 8 of 11

Re: How to create Access protection Exclusion with Signer

@tzemva wrote:

You could create an Exploit Prevention expert rule to replace stock AP rule and create an exception on target:

Thanks but NO, I will not mess with them for something that the policy should do natively!

 

jess_arman
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 11

Re: How to create Access protection Exclusion with Signer

@giangi It may make more sense why the rule is functioning the way it is when you remember that Access Protection is a mechanism that monitors and blocks the actions of processes against files. Yes, it can block creation and modification of files, but that action is done by blocking the process which is attempting to take the create/write/etc action to make that happen. 

Access Protection has always functioned in a way that the acting process is what must be included/excluded, and it could be only processes, not files, that can be excluded from those rules. (It just so happens that there's a slight extra layer of confusion/coincidence here in that your target file is also technically a process.)

If you would like to suggest that behavior be made to do otherwise, then you could submit a Product Idea as chealey suggested. We definitely agree that there are instances, like yours, in which it would be useful for the mechanisms to function differently, however, in their current state, they're functioning as they've always been designed to, thus far.

The available method to meet your needs in current functionality is the Expert Rules, as suggested. If you choose that you don't want to dabble in that, then that's fine, we're just here to help and inform you of what is available. Smiley Happy

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

giangi
Level 9
Report Inappropriate Content
Message 10 of 11

Re: How to create Access protection Exclusion with Signer


@jess_arman wrote:

It may make more sense why the rule is functioning the way it is when you remember that Access Protection is a mechanism that monitors and blocks the actions of processes against files.


I agree 200% with you, but only for this specific policy it just doesn't make sense to whitelist the "source" browser instead of the "target" executed.

Yes, I did create a Suggestion... Smiley Wink

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community