cancel
Showing results for 
Search instead for 
Did you mean: 
SWISS Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 6

IPS, EXPLOIT 6148 EFS does affect ENS 10.6 and 10.7 Blocks Exchange 2016

Jump to solution

Hello,

In KB82450 Mcafee describes a BUG that all NEW IPS rules will be REPORT AND BLOCK. It's documented BUG but we all wanted it like this (New IPS Active esp. for 0day's). Now we see what happens...

The new EFS Encryption rule which was released on 25.01.2020 which blocks upcoming EFS Ransomware generates 

FALSE/POSTIVE we see at one customer (While MOVING mailboxes from OLD 2010 to new 2016 Exchange)

"E:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe"
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\082F1D1E87D490A9B395B4E4AF2CBA6D_8309375B-BA2F-471D-8032-24307D448CEE

ENS 10.6.X, Exchange 2016 on Server 2016

 

Workaround: Use either of the following workarounds:
Modify the ENS Threat Prevention Exploit Prevention policy assigned to the systems and disable the Block and Report setting for Medium severity signatures.
Review the ENS Threat Prevention Exploit Prevention Medium severity events and determine whether a false positive event occurred. If the signature is not applicable to the environment, disable the signature.

Resolution: This issue is expected to be resolved in ENS 10.7.0 Update 1. See the related article for more information.

 

Greetings from Switzerland

 

 

 

1 Solution

Accepted Solutions
yaz McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: IPS, EXPLOIT 6148 EFS does affect ENS 10.6 and 10.7 Blocks Exchange 2016

Jump to solution

Hi @SWISS 

This is a known issue that we are working on. Issue will be resolved with ENS 10.7 Update 1. 

Here is the KB below for workaround. 

https://kc.mcafee.com/corporate/index?page=content&id=KB92310

View solution in original post

5 Replies
yaz McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: IPS, EXPLOIT 6148 EFS does affect ENS 10.6 and 10.7 Blocks Exchange 2016

Jump to solution

Hi @SWISS 

This is a known issue that we are working on. Issue will be resolved with ENS 10.7 Update 1. 

Here is the KB below for workaround. 

https://kc.mcafee.com/corporate/index?page=content&id=KB92310

View solution in original post

SWISS Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: IPS, EXPLOIT 6148 EFS does affect ENS 10.6 and 10.7 Blocks Exchange 2016

Jump to solution

@yaz

 

We posted the solution and the hint to 10.7 Update 1 already in our original post.

And why was the post from JoseRR deleted by Mcafee. He is absolute right.

Again we welcome that Mcafee enebales IPS Rules for 0DAY like the EFS Ransomware.

Even if that is a high risk for customers. Mcafee released the IPS before the weekend and was asuming that during the weekend a EFS-Ransomware wave would come.

The main problem i see that some customer and even mcafee does asume that we use ENS also on Server which works actualy fine.

 

The comment which was deleted from other user:

JoseRR (Level 10) posted a new reply in Endpoint Security (ENS) on 01-29-2020 01:32 AM:

JoseRR
Level 10
Report Inappropriate Content
Message 4 of 6

Re: IPS, EXPLOIT 6148 EFS does affect ENS 10.6 and 10.7 Blocks Exchange 2016

Jump to solution

Sorry it wasn't McAfee who deleted it but myself as instructed by my manager unfortunately.

We are a partner, seems we have to keep good PR

SWISS Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: IPS, EXPLOIT 6148 EFS does affect ENS 10.6 and 10.7 Blocks Exchange 2016

Jump to solution

Well it's OK even if the partner in the name of the customer bashes Mcafee or the people who want to earn points here. That's what customers pay us for. And if you believe in the products which we personal do this only harms the business. 

Security business if full of sales blenders these days who say their products works better than other and at theb end you end up with False/Positive the full day.

0DAY HIPS and IPS rules make no sense if somebody has to atcivate them in MONITOR mode and then SHARP (Block). That is related to all Brand (Palo Alto/Traps, Symantec, Trend, Kaspersky and Microsoft).

There is so much bull**bleep** sales going on and at the end you have so much false/Positives.

I think Mcafee runs good here overall products. What they don't run good is false positive even on their own products (Framework/TIE/VSE DLL etc.).

 

RISK

That means nothing else then Mcafee pushes the RISK to it's partner who have to enbale the rules.

By enable they mean you enable you the rule at 01:00 in the night or at weekend. Simply NO endcustomer understands that.

The latest bigger ransomware case in germany was because a IPS filter was not enbaled and MONITOR only. T-Systems did an analyse of that and said it's because they used Mcafee (Just so they can sell something else). It was not Mcafee it was the NEW IPS filter not active in time.

By the way Fortigate Fortiguard ships new IPS filters DE-Actuvated (Monitor) for one week and then enables them after 1 week.

They all test on the customer.

Now this is related to custom branch or regional software. But Microsoft Exchnage 2016 is a well known product and they can test it in the labs. The effect for that Rule only PULLS if a Admin Migrates a Mailboxen from and old to a new server. (Kind of special again...)

 

 

JoseRR
Level 10
Report Inappropriate Content
Message 6 of 6

Re: IPS, EXPLOIT 6148 EFS does affect ENS 10.6 and 10.7 Blocks Exchange 2016

Jump to solution

I fully agree with you, my boss also but politics seems to come first.

"Security business if full of sales blenders these days who say their products works better than other and at theb end you end up with False/Positive the full day."

"There is so much bull**bleep** sales going on and at the end you have so much false/Positives."

This is everyday's story and certainly many customers don't understand it.

In my case I made and exclusion for a particular application and convinced the customer it was good thing adding new signatures. The following day was calling back as a different application was being blocked. Made another exclusion for a whole folder this time. 

The third time they called in I just disabled the signature directly. Examples:

NT AUTHORITY\SYSTEM ran WS_TOMCATSERVICE.EXE, which tried to access C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\98A6697BC4B4458E66AF5297AE763307_CA65D527-D32E-40CA-A72B-7126AAEBF731, violating the rule "Malware Behavior : Windows EFS abuse", and was blocked. For information about how to respond to this event, see KB85494.

NT AUTHORITY\SYSTEM ran WS_TUNNELSERVICE.EXE, which tried to access C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0A654418AC9C341628897393C1A383A8_CA65D527-D32E-40CA-A72B-7126AAEBF731, violating the rule "Malware Behavior : Windows EFS abuse", and was blocked. For information about how to respond to this event, see KB85494.

 

I will open an account here with my private email address.

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community