cancel
Showing results for 
Search instead for 
Did you mean: 
clarke
Level 8
Report Inappropriate Content
Message 21 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

We have the same issue.

Highlighted
Zebu
Level 9
Report Inappropriate Content
Message 22 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Our workaround is that I add our trusted processes which were blocked to exclusion list in Exploit Prevention.

clarke
Level 8
Report Inappropriate Content
Message 23 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution
Yeah, I did that for now. I just hope that we can enable the config again soon with confidence, once the McAfee Lab guys return with a solution.
AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 24 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @clarke,

Thank you for your post.

This rule is free to be enabled. This is a rule that strictly works on certain conditions that would trigger it to block and application where one critical rule that gets hit here is:

"Installation of applications in non standard paths".

If you have a false positive that does not fall under this category, I would request you to kindly help us by reporting this using a Service Request so that we can look into it for you. Also if you have not done already, please go through the marked solutions for further understanding of this issue.

I sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
clarke
Level 8
Report Inappropriate Content
Message 25 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution
Hi AdithyanT
I am monitoring the situation for now. If necessary, I will raise it with support.
SWISS Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 26 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

We have all our SME and Enterprise customers on EPO 5.9.1.

Does this problems till exist 17.02.2020?

AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 27 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @SWISS,

The Rule does exist. So if you have an application that is not installed in the regular installation location and if the rule is enabled, then the problem may exist for that specific environment. This is not dependent on version of ePO or ENS, but the version of Exploit Prevention Content you have in place.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
clarke
Level 8
Report Inappropriate Content
Message 28 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Yes, the issue still exists. I just created a very specific exclusion for this in EP.

AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 29 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @clarke,

Can you confirm that this application is installed in the "standard installation path"? If yes, can you kindly please raise a Service Request so that we can look into this for you?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
AdithyanT McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 30 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @Zebu@sw41@cheetah@d00d@NebulaBilisim,

Firstly Thank you reporting the issue here and actively help us wit the investigation. To clarify our current stance on this issue I would like to submit the below draft.

If you are facing an False positive due to the new Signature introduced exploit prevention content (9845) with the Threat name: Malware Behavior: Windows EFS Abuse,

  • Please ensure your Exploit Prevention Content is the latest (9863) an check if you receive the FP alert again
  • Please confirm if you entirely trust the application and add it to the exclusion (temporary work around)
  • Now Please open a Service Request with us to confirm the validity of the trigger and if an exclusion can be added at the content level.

What does Support do when we report this to them?

Support will raise an issue internally with our Labs team who will validate this reported False positive internally and check if we can add exclusion at content level which will be released subsequently on the next Exploit prevention content release or a future version as applicable until which our exclusion should serve the purpose.

If we still receive the False Positive, what is the use of the newer signature released by McAfee? What have you done in it to mitigate the issue?

Based on our initial analysis and Customer reports we were able to pick up the most critical application identified which can hamper production environment and we added exclusion to the signature. Additionally, we have disabled this rule and lowered it's severity so that it can be enabled by users based on their requirement - just like few other low severity rules we have in place.

I have updated to the latest content 9863 and I can see that the signature is not disabled by default in the policy I have. Why is it so?

This would actually be a nice question though! Answer is straight forward. We do not disable/enable signatures that are of non High severity in any custom policy. Basically the changes of the new content will reflect in the McAfee default policy and if you have a custom policy where this is enabled, you may have to disable it manually if needed.

All other queries and addition of exclusion should be well explained in this KBA:

False positive mitigation for Exploit Prevention signature 6148 for non-standard installation paths

https://kc.mcafee.com/corporate/index?page=content&id=KB92350

I sincerely hope this is of some use to all of you here. Please feel free to ask more questions if you have any with respect to this post!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community