cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 48

Malware Behavior: Windows EFS Abuse

Jump to solution

Hello,

Currently we are getting several alerts from ePO.

Information:
Analyzer Detection Method: Exploit Prevention
Threat Name: Malware Behavior: Windows EFS Abuse

Threat Target File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

AMCORE Version: 3955.0

Threat Prevention Version: 10.6.1.1273

Do you have any suggerstion?

Thank you!

2 Solutions

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 30 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @Zebu@sw41@cheetah@d00d@NebulaBilisim,

Firstly Thank you reporting the issue here and actively help us wit the investigation. To clarify our current stance on this issue I would like to submit the below draft.

If you are facing an False positive due to the new Signature introduced exploit prevention content (9845) with the Threat name: Malware Behavior: Windows EFS Abuse,

  • Please ensure your Exploit Prevention Content is the latest (9863) an check if you receive the FP alert again
  • Please confirm if you entirely trust the application and add it to the exclusion (temporary work around)
  • Now Please open a Service Request with us to confirm the validity of the trigger and if an exclusion can be added at the content level.

What does Support do when we report this to them?

Support will raise an issue internally with our Labs team who will validate this reported False positive internally and check if we can add exclusion at content level which will be released subsequently on the next Exploit prevention content release or a future version as applicable until which our exclusion should serve the purpose.

If we still receive the False Positive, what is the use of the newer signature released by McAfee? What have you done in it to mitigate the issue?

Based on our initial analysis and Customer reports we were able to pick up the most critical application identified which can hamper production environment and we added exclusion to the signature. Additionally, we have disabled this rule and lowered it's severity so that it can be enabled by users based on their requirement - just like few other low severity rules we have in place.

I have updated to the latest content 9863 and I can see that the signature is not disabled by default in the policy I have. Why is it so?

This would actually be a nice question though! Answer is straight forward. We do not disable/enable signatures that are of non High severity in any custom policy. Basically the changes of the new content will reflect in the McAfee default policy and if you have a custom policy where this is enabled, you may have to disable it manually if needed.

All other queries and addition of exclusion should be well explained in this KBA:

False positive mitigation for Exploit Prevention signature 6148 for non-standard installation paths

https://kc.mcafee.com/corporate/index?page=content&id=KB92350

I sincerely hope this is of some use to all of you here. Please feel free to ask more questions if you have any with respect to this post!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 36 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @sw41 

Yes it is already taken care by the updated Exploit Prevention content. You can install 9863 (released on 28th Jan) that has the false positive resolved.

View solution in original post

47 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @Zebu 

Can you please confirm that Exploit Prevention content version is 9845? 

If you are using the above EP content then please proceed to open a service ticket and provide Debug enabled Log from one of the machine. You just need to enable the Debug log of OAS on the machine and wait for the event to trigger. Capture the MER log from the machine and open a service ticket. Provide me the ticket number so that I can take it further with the content team. 

Highlighted
Level 9
Report Inappropriate Content
Message 3 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Yes I'm confirming that Exploit Prevention content version is 9845 and opening a ticket.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Please share me the ticket number. 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

@patrakshar  Our environment also also has few events trigger by ENS yesterday as mentioned by @Zebu.  

Can you please share the fix on this post? 

2020-01-20 10_45_24-Threat_Event_Log.csv  -  Read-Only - Excel.jpg

Threat Event Log: Details

2020-01-20 11_28_55-ePolicy Orchestrator 5.10.0.jpg

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi @bodysoda 

I am working with the content team on that. As soon as there is any update i will let you know. Will suggest to open a SR for the same with the support team at this point for tracking purpose. Please provide me the SR number as well.

Till we are done with the analysis, we will suggest to disable this specific EP tool temporarily. 

Highlighted
Level 8
Report Inappropriate Content
Message 7 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi,

any new updates for that issue?

regards

Highlighted
Level 9
Report Inappropriate Content
Message 8 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hello,

What is you ePO version number? It seems the problem is with Exploit Prevention rule 6148. We have older version than ePO 5.10. I suggest to open a SR ticket if you are having problem with this. Our SR is escalated to McAfee LABS.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution
Our EPO is 5.10 With an update 2(will confirm tomorrow update number).
In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 48

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hi All,

 

We are working with our content team on this. As soon as there is any update, I will update this thread. Please disable the specific Signature ID till we provide a permanent solution to this.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community