I have a machine that is generating a large number of Access Protection events 1095 during the day. The Threat Source Process Name is powershell.exe
which targets DLLs located under the C:\Windows\Temp\xxxxxxxxxxxx\ folder. This is an example of the description being reported on one of the events:
NT AUTHORITY\SYSTEM ran C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, which accessed the file C:\Windows\Temp\2C3CA083-7B25-4294-B2C1-95AFD7A80F9A\DismCore.dll, violating the rule "Creating new executable files in the Windows folder". Access was allowed because the rule wasn't configured to block.
Any idea what may be causing this large number of events? And is there a way to stop since it seems to consume system resources on the machine?
Endpoint Security Threat Prevention version is 10.7.0.2298
AMCore content version 4379.0
ePO version 5.9.1
Hi @Linuxxo ,
Please check the event details and confirm if you any command line for Powershell.
Also try the following
1) Run a full scan with latest DAT updates.
2) Use Getsusp to find any suspicious files and submit it to McAfee Labs
How to use Getsusp - https://www.mcafee.com/enterprise/en-in/downloads/free-tools/how-to-use-getsusp.html
How to submit samples - https://kc.mcafee.com/corporate/index?page=content&id=KB68030
3) Run Stinger to get rid of any rootkits or WMI infections
I have followed your instruction, unfortunately no threat was found. In addition, I have not started seeing Event ID 1092 with msiexec.exe as the Threat Source Process Name, and C:\Program Files\McAfee\ as the Threat Target File Path. Are there any other things that may need to be checked?
Hi @Linuxxo ,
Access Protection Rule - "Creating new executable files in the Windows folder" Prevents the creation of files from any process, not just from over the network.
This rule prevents the creation of .EXE and .DLL files in the Windows folder.
It doesn't indicate there's a malware but its a good practice to check what the source process was doing.
msiexec.exe is an installer service that normally writes into windows folder and can be ignored.
Thanks for your reply. I know that the msiexec.exe should be safe, but are there any chances that a malware may use it to compromise the system? Or can it just be trusted and excluded?
Was this ever resolved?
I've been seeing many similar events. For example: NT AUTHORITY\SYSTEM ran C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, which accessed the file C:\Windows\Temp\XXX\AppxProvider.dll, violating the rule "Creating new executable files in the Windows folder". Access was allowed because the rule wasn't configured to block.
Threat Source: powershell.exe
Is there a way to prevent these events from generating if they're only false positives?