Is this a wide-spread issue?
The solution "Exclude the file FramePkg.exe from inspection by antivirus software." sounds great until malware writers start naming their malware FramePkg.exe
This is true. It can be easily tricked. The problem is that this file is unsigned, because it's generated "on the fly" and is unique to each environment. If you use TIE, you can whitelist your Framepkg file but this will only help until you generate a new one and then you'd need to whitelist (mark it as known trusted) again.
Thanks @Former Member
Do you have any info on the environment this is happening in?
I'm using ENS 10.6.1 Oct release (currently upgrading to 10.7) with ATP (and TIE) and agent 18.104.22.168 and I'm not (currently) seeing this issue. I would like to keep it that way so some more details in KB89079 would be good.
So this file would typically be a "unknown" reputation. So in terms of ATP, you would not see any detection if you have your ATP settings set to not take action on anything with a reputation of "unknown" and lower. (These are found in your ATP Options policy)
@Former Member I have a fairly default Balanced setting, with Real Protect on Medium.
I guess this level allows the agent to install/upgrade and it's not seen as Malicious as I have Trigger DAC on might be malicious, Block on most likely malicious, and Clean on known malicious.
I agree there are many potential settings, but it would be good if the KB had a bit more detail.