cancel
Showing results for 
Search instead for 
Did you mean: 
Zebu
Level 9
Report Inappropriate Content
Message 31 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

We are still struggling and LABS is working on our case because these rules are not visible in ePO dispite of we have already updated the content version.

ezim
Level 7
Report Inappropriate Content
Message 32 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi Zebu,

You'll need to make sure you set the "Filter" to display "Severity: Others" in order to see the Signature now and be able to switch it off if that is what you want/need to do.

Elke

BN-Rob
Level 8
Report Inappropriate Content
Message 33 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi,

is there any status update on this?

regards

Highlighted
AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 34 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @BN-Rob,

Apologies for not looping you in my previous reply. may i know what update you seek on this issue? Are you facing a False positive for this rule? May I know if my previous response can help or clarify this for you in any way?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
sw41
Level 10
Report Inappropriate Content
Message 35 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

The actual fix vs whitelisting/disable work arounds.  This did not seem to be a problem a few weeks back and I thought I saw that a true fix was on the way, perhaps in an updated DAT file or something.

 

patrakshar McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 36 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @sw41 

Yes it is already taken care by the updated Exploit Prevention content. You can install 9863 (released on 28th Jan) that has the false positive resolved.

View solution in original post

Pmaquoi Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 37 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

We are suffering since a few days of this issue but in our case the rule is no more present in the Policy (all options activated the rule is NOT shown)  and we have some servers that are uploading block events to the ePO.

To be more precise, thousands of false positive block events on that rule since +- 16/02 so yesterday

AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 38 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @Pmaquoi,

Thank you for reporting this. I would like to assist you via a Service Request if you have one in place already! The rule must be present, however, the Filter options may hide it since this rule has a priority that falls under "Disabled"!

It is worth having a check locally as well and I can assure the sig is still present in the content and has not been removed! I have attached a screengrab of what I am referring to for your kind reference!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Pmaquoi Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 39 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

the case was opened in the same time i Added this comment into the forum. A remote session yesterday confirmed that

locally the rule is present

the rule is no more present in any of the TP EXP Policies.

if exported all policies showed no trace for this rule into XLM file

the investigation will continue on wednesday with both ePO and ENS support team 

SWISS Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 40 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Wait until you see WHEN it blocks and Exchange Migration (RUUPDATE) with those customers who have ENS on Servers running. For all who don't handle those in details. Such a servcie Pack (roll up) often exports the whole Exchange config into some XML files. THEN Deinstalls all Exchange Files, Binary and even services and then reinstall all and config as defined in the XML.

 

You can imagine what happesn there of such an EFS effect is happening...

https://community.mcafee.com/t5/Endpoint-Security-ENS/IPS-EXPLOIT-6148-EFS-does-affect-ENS-10-6-and-...

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community