cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4

MCAFEE ENS 10.7 10.7.0.2174 OCT | False/Positive IPS 6163 Malicious Shellcode

W10 1909, PRO or ENTERPRISE, GERMAN or ENGLISH

MCAFEE ENS 10.7 10.7.0.2174 OCT | False/Positive IPS 6163 Malicious Shellcode

 

MCAFEE PARTNER reports problems with early integration of ENS 10.7 OCT

Hello,

We gone early ENS 10.7 10.7.0.2174 OCT internal on our own network because we did see the fixed notes about Framework.net code in Release Notes.

We see mulitply False/Positive on IPS Exploit rule 6163 if active (Several APPS crashed during rollout)

What we see because we has IPS 6163 Report and Block after a testphase of over 2 months with NO false/Positive with most customers on ENS 10.7 SEP.

Now new many alerts/Blocks for:


ExP:Illegal API Use | C:\WINDOWS\SYSTEM32\NOTEPAD.EXE | Buffer Overflow durch Host-Eindringungsversuch | Critical


ExP:Illegal API Use Blockiert einen Exploit-Versuch auf C:\WINDOWS\SYSTEM32\NOTEPAD.EXE, wodurch ein Angriff auf die API RtlUserThreadStart durchgeführt wurde.


ExP:Illegal API Use | C:\WINDOWS\SYSTEM32\RUNDLL32.EXE | Buffer Overflow durch Host-Eindringungsversuch | Critical

"C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617

ExP:Illegal API Use Blockiert einen Exploit-Versuch auf C:\WINDOWS\SYSTEM32\NOTEPAD.EXE, wodurch ein Angriff auf die API RtlUserThreadStart durchgeführt wurde.

 

The rundll32.exe -localserver leads to here and nowhere else:

https://superuser.com/questions/1175267/what-is-this-rundll32-instance-running

https://translate.google.com/translate?hl=en&sl=zh-CN&u=https://social.msdn.microsoft.com/Forums/en-...

 

Tier1 Mcafee, no i can't reproduce those are Development machines we compile healthcare software.

But we also the see notepad.exe event on a regular backoffice W10 1909 German OS machine.

Greetings from Switzerland

 
 

mcafee_001_2020-11-11 13_16_36-Window.png

 

 

3 Replies
Dayananda
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: MCAFEE ENS 10.7 10.7.0.2174 OCT | False/Positive IPS 6163 Malicious Shellcode

Hello,

Thank you for your post.

By default the rule 6163 is disabled, but if it is false positive you disable the rule for time being.

And could you let us know the exploit content version that you have updated on systems so that I will check if there is any false positive detection with this rule.

I look forward to your reply.

Regards,
Daya
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: MCAFEE ENS 10.7 10.7.0.2174 OCT | False/Positive IPS 6163 Malicious Shellcode

Hello,

 

Comes down to strategy for protecting against 0-day. We came out of the bush after months of testing the newer IPS rules and finally made them active (Block) on most customers. (Most of them). This after a realy long period of centralized monitoring over all customers.

That just the week before ENS 10.7 NOV release.

Let's take it down wihout "chit chat". If you block c:\windows\system\notepad.exe from a W10 1909 PRO or Enterprise with an IPS rule you failed guys. Revice the IPS rule and fix it please. But not in 2 months with the 10.7 JAN that is too hot.

There is a reason engineer currently role out the ENS 10.7 NOV and it's that Web Control Plugin from Mcafee finally works. We all waited 10 months for that. I know it was Microsoft and what they allow and not in their New Edge. (I hope) Sametime NEW EDGE in WSUS-Server onpremise appeared after they said that 8 months ago. So it has to be in that direction.

This is an important step for protecting Home office users during this time for companys who don't have Web Gateway in place. You can use Forticlient Full with EMS or other solution which work but if you want to keep all from one producer (At least Mcafee managment and sales wants....)

 

SystemCore Version: 20.9.0.193

Amcore: 4254.0

Exploit: 10.6.0.10775

Exploit Date; 20.10.2020 11:19 PM

mcafe_001_2020-11-12 10_49_48-w10 - VMware Workstation.png

MCAFE_002_2020-11-12 10_49_48-w10 - VMware Workstation.png

bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

: MCAFEE ENS 10.7 SEP | False/Positive IPS 6155 Malicious DLL Injection Detected notepad.exe

We just did see this with another customer with another IPS rule 6155 and also c:\windows\system32\notepad.exe om 17.11.2020 with ENS 10.7 SEP (2000) release.

This is not related to 10.7 NOV.

 

Was this fixed now with an AMCORE or still open

 


Analyseprogramm – Inhaltsversion:
10.6.0.10775

Analyseprogramm – Regel-ID:
6155

Analyseprogramm – Regelname:
Suspicious Behavior: Malicious DLL Injection Detected

Quellenbeschreibung:
"C:\windows\system32\NOTEPAD.EXE"

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community