Hello,
Currently we are getting several alerts from ePO.
Information:
Analyzer Detection Method: Exploit Prevention
Threat Name: Malware Behavior: Windows EFS Abuse
Threat Target File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
AMCORE Version: 3955.0
Threat Prevention Version: 10.6.1.1273
Do you have any suggerstion?
Thank you!
Solved! Go to Solution.
Hi @Zebu, @sw41, @cheetah, @d00d, @NebulaBilisim,
Firstly Thank you reporting the issue here and actively help us wit the investigation. To clarify our current stance on this issue I would like to submit the below draft.
If you are facing an False positive due to the new Signature introduced exploit prevention content (9845) with the Threat name: Malware Behavior: Windows EFS Abuse,
What does Support do when we report this to them?
Support will raise an issue internally with our Labs team who will validate this reported False positive internally and check if we can add exclusion at content level which will be released subsequently on the next Exploit prevention content release or a future version as applicable until which our exclusion should serve the purpose.
If we still receive the False Positive, what is the use of the newer signature released by McAfee? What have you done in it to mitigate the issue?
Based on our initial analysis and Customer reports we were able to pick up the most critical application identified which can hamper production environment and we added exclusion to the signature. Additionally, we have disabled this rule and lowered it's severity so that it can be enabled by users based on their requirement - just like few other low severity rules we have in place.
I have updated to the latest content 9863 and I can see that the signature is not disabled by default in the policy I have. Why is it so?
This would actually be a nice question though! Answer is straight forward. We do not disable/enable signatures that are of non High severity in any custom policy. Basically the changes of the new content will reflect in the McAfee default policy and if you have a custom policy where this is enabled, you may have to disable it manually if needed.
All other queries and addition of exclusion should be well explained in this KBA:
False positive mitigation for Exploit Prevention signature 6148 for non-standard installation paths
https://kc.mcafee.com/corporate/index?page=content&id=KB92350
I sincerely hope this is of some use to all of you here. Please feel free to ask more questions if you have any with respect to this post!
Hi @sw41
Yes it is already taken care by the updated Exploit Prevention content. You can install 9863 (released on 28th Jan) that has the false positive resolved.
Hi @Zebu
Can you please confirm that Exploit Prevention content version is 9845?
If you are using the above EP content then please proceed to open a service ticket and provide Debug enabled Log from one of the machine. You just need to enable the Debug log of OAS on the machine and wait for the event to trigger. Capture the MER log from the machine and open a service ticket. Provide me the ticket number so that I can take it further with the content team.
Yes I'm confirming that Exploit Prevention content version is 9845 and opening a ticket.
Please share me the ticket number.
@patrakshar Our environment also also has few events trigger by ENS yesterday as mentioned by @Zebu.
Can you please share the fix on this post?
Threat Event Log: Details
Hi @bodysoda
I am working with the content team on that. As soon as there is any update i will let you know. Will suggest to open a SR for the same with the support team at this point for tracking purpose. Please provide me the SR number as well.
Till we are done with the analysis, we will suggest to disable this specific EP tool temporarily.
Hi,
any new updates for that issue?
regards
Hello,
What is you ePO version number? It seems the problem is with Exploit Prevention rule 6148. We have older version than ePO 5.10. I suggest to open a SR ticket if you are having problem with this. Our SR is escalated to McAfee LABS.
Hi All,
We are working with our content team on this. As soon as there is any update, I will update this thread. Please disable the specific Signature ID till we provide a permanent solution to this.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA