cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Linuxxo
Level 11
Report Inappropriate Content
Message 1 of 6

Large number of Access Protection events 1095

Hi,

I have a machine that is generating a large number of Access Protection events 1095 during the day. The Threat Source Process Name is powershell.exe
which targets DLLs located under the C:\Windows\Temp\xxxxxxxxxxxx\ folder. This is an example of the description being reported on one of the events:

NT AUTHORITY\SYSTEM ran C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, which accessed the file C:\Windows\Temp\2C3CA083-7B25-4294-B2C1-95AFD7A80F9A\DismCore.dll, violating the rule "Creating new executable files in the Windows folder". Access was allowed because the rule wasn't configured to block.

Any idea what may be causing this large number of events? And is there a way to stop since it seems to consume system resources on the machine?

Many thanks

Endpoint Security Threat Prevention version is 10.7.0.2298
AMCore content version 4379.0
ePO version 5.9.1

 
 
5 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Large number of Access Protection events 1095

Hi @Linuxxo ,

Please check the event details and confirm if you any command line for Powershell.

Also try the following

1) Run a full scan with latest DAT updates.

2) Use Getsusp to find any suspicious files and submit it to McAfee Labs

How to use Getsusp - https://www.mcafee.com/enterprise/en-in/downloads/free-tools/how-to-use-getsusp.html

How to submit samples - https://kc.mcafee.com/corporate/index?page=content&id=KB68030

3) Run Stinger to get rid of any rootkits or WMI infections

https://www.mcafee.com/enterprise/en-in/downloads/free-tools/how-to-use-stinger.html

Thanks

 

Linuxxo
Level 11
Report Inappropriate Content
Message 3 of 6

Re: Large number of Access Protection events 1095

Hi Pravas,

I have followed your instruction, unfortunately no threat was found. In addition, I have not started seeing Event ID 1092 with msiexec.exe as the Threat Source Process Name, and C:\Program Files\McAfee\ as the Threat Target File Path. Are there any other things that may need to be checked?

Many thanks. 

 
 
 
 
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Large number of Access Protection events 1095

Hi @Linuxxo ,

Access Protection Rule - "Creating new executable files in the Windows folder" Prevents the creation of files from any process, not just from over the network.

This rule prevents the creation of .EXE and .DLL files in the Windows folder.

It doesn't indicate there's a malware but its a good practice to check what the source process was doing.

msiexec.exe is an installer service that normally writes into windows folder and can be ignored.

Thanks

Linuxxo
Level 11
Report Inappropriate Content
Message 5 of 6

Re: Large number of Access Protection events 1095

Thanks for your reply. I know that the msiexec.exe should be safe, but are there any chances that a malware may use it to compromise the system? Or can it just be trusted and excluded?

SethBen
Level 7
Report Inappropriate Content
Message 6 of 6

Re: Large number of Access Protection events 1095

Was this ever resolved?

I've been seeing many similar events. For example: NT AUTHORITY\SYSTEM ran C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, which accessed the file C:\Windows\Temp\XXX\AppxProvider.dll, violating the rule "Creating new executable files in the Windows folder". Access was allowed because the rule wasn't configured to block.

Threat Source: powershell.exe

Is there a way to prevent these events from generating if they're only false positives?

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community