Community Help Hub

Zebu · ‎01-19-2020

Hello,

Currently we are getting several alerts from ePO.

Information:
Analyzer Detection Method: Exploit Prevention
Threat Name: Malware Behavior: Windows EFS Abuse

Threat Target File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

AMCORE Version: 3955.0

Threat Prevention Version: 10.6.1.1273

Do you have any suggerstion?

Thank you!

AdithyanT

Hi @Zebu, @sw41, @cheetah, @d00d, @NebulaBilisim,

Firstly Thank you reporting the issue here and actively help us wit the investigation. To clarify our current stance on this issue I would like to submit the below draft.

If you are facing an False positive due to the new Signature introduced exploit prevention content (9845) with the Threat name: Malware Behavior: Windows EFS Abuse,

Please ensure your Exploit Prevention Content is the latest (9863) an check if you receive the FP alert again
Please confirm if you entirely trust the application and add it to the exclusion (temporary work around)
Now Please open a Service Request with us to confirm the validity of the trigger and if an exclusion can be added at the content level.

What does Support do when we report this to them?

Support will raise an issue internally with our Labs team who will validate this reported False positive internally and check if we can add exclusion at content level which will be released subsequently on the next Exploit prevention content release or a future version as applicable until which our exclusion should serve the purpose.

If we still receive the False Positive, what is the use of the newer signature released by McAfee? What have you done in it to mitigate the issue?

Based on our initial analysis and Customer reports we were able to pick up the most critical application identified which can hamper production environment and we added exclusion to the signature. Additionally, we have disabled this rule and lowered it's severity so that it can be enabled by users based on their requirement - just like few other low severity rules we have in place.

I have updated to the latest content 9863 and I can see that the signature is not disabled by default in the policy I have. Why is it so?

This would actually be a nice question though! Answer is straight forward. We do not disable/enable signatures that are of non High severity in any custom policy. Basically the changes of the new content will reflect in the McAfee default policy and if you have a custom policy where this is enabled, you may have to disable it manually if needed.

All other queries and addition of exclusion should be well explained in this KBA:

False positive mitigation for Exploit Prevention signature 6148 for non-standard installation paths

https://kc.mcafee.com/corporate/index?page=content&id=KB92350

I sincerely hope this is of some use to all of you here. Please feel free to ask more questions if you have any with respect to this post!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

patrakshar

Hi @sw41

Yes it is already taken care by the updated Exploit Prevention content. You can install 9863 (released on 28th Jan) that has the false positive resolved.

View solution in original post

patrakshar · ‎01-19-2020

Hi @Zebu

Can you please confirm that Exploit Prevention content version is 9845?

If you are using the above EP content then please proceed to open a service ticket and provide Debug enabled Log from one of the machine. You just need to enable the Debug log of OAS on the machine and wait for the event to trigger. Capture the MER log from the machine and open a service ticket. Provide me the ticket number so that I can take it further with the content team.

Zebu · ‎01-19-2020

Yes I'm confirming that Exploit Prevention content version is 9845 and opening a ticket.

patrakshar · ‎01-19-2020

Please share me the ticket number.

bodysoda · ‎01-19-2020

@patrakshar Our environment also also has few events trigger by ENS yesterday as mentioned by @Zebu.

Can you please share the fix on this post?

Threat Event Log: Details

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!

patrakshar · ‎01-19-2020

Hi @bodysoda

I am working with the content team on that. As soon as there is any update i will let you know. Will suggest to open a SR for the same with the support team at this point for tracking purpose. Please provide me the SR number as well.

Till we are done with the analysis, we will suggest to disable this specific EP tool temporarily.

BN-Rob

Hi,

any new updates for that issue?

regards

Zebu

Hello,

What is you ePO version number? It seems the problem is with Exploit Prevention rule 6148. We have older version than ePO 5.10. I suggest to open a SR ticket if you are having problem with this. Our SR is escalated to McAfee LABS.

bodysoda

Our EPO is 5.10 With an update 2(will confirm tomorrow update number).

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!

patrakshar

Hi All,

We are working with our content team on this. As soon as there is any update, I will update this thread. Please disable the specific Signature ID till we provide a permanent solution to this.

Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Re: Malware Behavior: Windows EFS Abuse

Community Help Hub

Join the Community