cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 6

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hello there,

I also got EFS abuse everyday.

Any processus is trying to access Crypto/RSA got the 18060 error with 6148 signature.

Ticket number : 4-20739350601 

 Enpoint Security Exploit Prevention Content version : 9906

AMCpre Cpntent Package version : 3988.0

DAT version : 9537.0000

But problem still here, i tried to disable signature 6148 manualy 2 week ago but we still get thoses error. I cant make exclusion, because sometimes we got temp processus created by windows... there is MER in ticket from a computer which get EFS abuse.

Can you help ?

Thanks, Cédric.

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hello @Charbo 

Many thanks for posting on the Community. I've reviewed your Service Request and have left a note for the Owner of the case with the details however here a modified version of what I can see from the data supplied:

bopap.xml (this file is a dump of the ENSTP Exploit Prevention policy applied to the system, typically you can find this file here: C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\IPS)

<Rule id="6148">
<Name>Malware Behavior: Windows EFS abuse</Name>
<Origin>IDS_APSP_RULE_ORIGIN_MCAFEE</Origin>
<Module>ABE1073E-C616-4DC1-AEE1-3B6485B67B86</Module>
<Block>false</Block>
<Report>true</Report>
<Note/>
<Group>ExPCannedRules</Group>
<Initiator>
<CsvInclude/>
<CsvExclude/>
<Executables></Executables>
</Initiator>
<SubRules></SubRules>

And here and extract from the policy you have applied according to the McAfee Agent Database files:
- <Section name="EXPRule">
<Setting name="Block">0</Setting>
<Setting name="Report">1</Setting>
<Setting name="SignatureClass">ENS_Files</Setting>
<Setting name="SignatureFP">If you observe false positives, you are advised to either lower the severity of this signature or disable it. If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base. https://kc.mcafee.com/corporate/index?page=content&id=KB67561</Setting>
<Setting name="SignatureID">6148</Setting>
<Setting name="SignatureIsDeleted">0</Setting>
<Setting name="SignatureLink" />
<Setting name="SignatureName">Malware Behavior: Windows EFS abuse</Setting>
<Setting name="SignatureNotes">The signature is supported on ENS 10.5.3 and above. EFS or Encrypt file system is a Microsoft feature of NTFS that provides file-level encryption. This event indicates a malware attempt to encrypt files and folders using EFS.</Setting>
<Setting name="SignatureSeverity">0</Setting>
<Setting name="SignatureStat" />
<Setting name="SignatureType" />
<Setting name="SignatureVersion">10.6.0.9845</Setting>
</Section>

 

I then looked at the events being generated on this machine, and we can indeed see the event reporting but not blocking - so as per what the system believes the policy to be configured to, ENS is reacting correctly

From the Exploit Prevention Log:
19/02/2020 16:38:32 mfeesp(5504.10884) <Système> ApBl.BOPAP.Activity: <User> a exécuté SETUP.EXE, qui a accédé à C:\USERS\xxx\APPDATA\ROAMING\MICROSOFT\CRYPTO\RSA\S-1-5-21-854583560-1095881860-4055257626-131812\766EB1C327DD67F4328617E167C0EE0C_28DC99E5-169D-4F58-B8DE-51E46EACF9EB, d'une manière contraire à la règle « Malware Behavior: Windows EFS abuse ». L'accès a été autorisé car la règle n'était pas configurée de sorte à bloquer l'accès.

>> Access was granted because the signature was set to report, not block.

 

If in the policy you have applied to the system, you in fact have disabled both block and report then we would need to look into this further however from the client machine itself it would seem the signature is set to report. I would advise to re-check your policy.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

5 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hello @Charbo 

Many thanks for posting on the Community. I've reviewed your Service Request and have left a note for the Owner of the case with the details however here a modified version of what I can see from the data supplied:

bopap.xml (this file is a dump of the ENSTP Exploit Prevention policy applied to the system, typically you can find this file here: C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\IPS)

<Rule id="6148">
<Name>Malware Behavior: Windows EFS abuse</Name>
<Origin>IDS_APSP_RULE_ORIGIN_MCAFEE</Origin>
<Module>ABE1073E-C616-4DC1-AEE1-3B6485B67B86</Module>
<Block>false</Block>
<Report>true</Report>
<Note/>
<Group>ExPCannedRules</Group>
<Initiator>
<CsvInclude/>
<CsvExclude/>
<Executables></Executables>
</Initiator>
<SubRules></SubRules>

And here and extract from the policy you have applied according to the McAfee Agent Database files:
- <Section name="EXPRule">
<Setting name="Block">0</Setting>
<Setting name="Report">1</Setting>
<Setting name="SignatureClass">ENS_Files</Setting>
<Setting name="SignatureFP">If you observe false positives, you are advised to either lower the severity of this signature or disable it. If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base. https://kc.mcafee.com/corporate/index?page=content&id=KB67561</Setting>
<Setting name="SignatureID">6148</Setting>
<Setting name="SignatureIsDeleted">0</Setting>
<Setting name="SignatureLink" />
<Setting name="SignatureName">Malware Behavior: Windows EFS abuse</Setting>
<Setting name="SignatureNotes">The signature is supported on ENS 10.5.3 and above. EFS or Encrypt file system is a Microsoft feature of NTFS that provides file-level encryption. This event indicates a malware attempt to encrypt files and folders using EFS.</Setting>
<Setting name="SignatureSeverity">0</Setting>
<Setting name="SignatureStat" />
<Setting name="SignatureType" />
<Setting name="SignatureVersion">10.6.0.9845</Setting>
</Section>

 

I then looked at the events being generated on this machine, and we can indeed see the event reporting but not blocking - so as per what the system believes the policy to be configured to, ENS is reacting correctly

From the Exploit Prevention Log:
19/02/2020 16:38:32 mfeesp(5504.10884) <Système> ApBl.BOPAP.Activity: <User> a exécuté SETUP.EXE, qui a accédé à C:\USERS\xxx\APPDATA\ROAMING\MICROSOFT\CRYPTO\RSA\S-1-5-21-854583560-1095881860-4055257626-131812\766EB1C327DD67F4328617E167C0EE0C_28DC99E5-169D-4F58-B8DE-51E46EACF9EB, d'une manière contraire à la règle « Malware Behavior: Windows EFS abuse ». L'accès a été autorisé car la règle n'était pas configurée de sorte à bloquer l'accès.

>> Access was granted because the signature was set to report, not block.

 

If in the policy you have applied to the system, you in fact have disabled both block and report then we would need to look into this further however from the client machine itself it would seem the signature is set to report. I would advise to re-check your policy.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Highlighted
Level 8
Report Inappropriate Content
Message 3 of 6

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Hello,

Thanks a lot for your anwser and explanation,

Indeed, I still have "report" enable because i wasnt sure about to disable it.

Everything I wanted to know, make sure people are not blocked.

Do you know if system will produce EFS abuse on Crypto/RSA still a long time ?

Cédric.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

No, with just "report" enabled, your users will not be blocked. You will merely see the "would block" events informing you that the signature has been triggered but isn't fully active.

In the latest Exploit Prevention Content Update we have modified the signature so it is less likely to trigger for False Positives however these are of course always possible. At the end of the day though the signature is designed to look for possible abuse of Windows EFS and the key that is triggering your events is part of what we need to look at to provide protection.

In the latest update we also changed the rule to be disabled by default as we are aware of the amount of events this signature can cause.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Level 8
Report Inappropriate Content
Message 5 of 6

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Thanks for all,

You can solve this ticket 🙂

Have a nice day.

Cédric.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Malware Behavior: Windows EFS Abuse

Jump to solution

Glad the information was helpful. I hope you have a great day too.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community