cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
mlajoie
Level 10
Report Inappropriate Content
Message 1 of 4

ScriptScan and EMET

Jump to solution
Good morning. Running ENS 10.6.1 and EMET 5.5. Just turned ScriptScan on for a bunch of WIn7 and Win10 computers. We get an EMET warning (ASR Mitigation). Obviously, this isn't affecting the Win10 computers that have had EMET replaced by Windows Defender Exploit Prevention. Is there anything we can do from the McAfee side to keep the warning from popping up? It isn't affecting the users but it is certainly annoying them.
1 Solution

Accepted Solutions
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: ScriptScan and EMET

Jump to solution

@mlajoie Based on the log entry you've shared (and my very limited understanding of EMET's functionality after some very light Google search reading) it seems to me that EMET is oserving interaction with VBScript.dll when observing/scanning scripts within the IE. This likely falls into the overly sensitive realm of Attack Surface Reduction (ASR) mitigation because it is possible Malware could leverage this .dll.

EMET is designed specifically to stop attempts to run the VBScript extension when loaded in the Internet Explorer's Internet Zone. 
ScriptScan is a Browser Helper Object that examines JavaScript and VBScript code for malicious scripts before they execute. If the script is clean, it passes to JavaScript or VBScript for handling. If ScriptScan detects a malicious script, it blocks the script from executing.

NOTE: ScriptScan examines scripts for Internet Explorer only. It doesn't look at scripts system-wide and doesn't examine scripts run by wscript.exe or cscript.exe.

My interpretation is that it's going to be difficult to implement anything from the McAfee side as based on my interpretation of this messaging, it's not caused by McAfee scanning/monitoring EMET, but that it's EMET seeing what McAfee is doing in order to scan scripts then hand off to VBScript when it passes. (This could only be validated by examining a ProcMon capture of reproducing the issue and then doing a detailed review of EMET logs---which you would need to engage Microsoft for) If you're getting this messaging only when navigating to certain websites, you could implement a ScriptScan exclusion for what is being scanned at that time to avoid the triggering of EMET. Though I think it would be more likely you can effectively do this by excluding McAfee on the EMET side. It would also be the more secure solution, if you're wanting to take advantage of ScriptScan.

 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

3 Replies
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: ScriptScan and EMET

Jump to solution

@mlajoie Would you be able to share a screenshot of the pop-up or logs from the EMET side so we can have insight into what the EMET is "complaining" about? It is possible that you may need to implement some exclusions with McAfee to not scan EMET actions---if our observation of them could be triggering this. It is also possible that you may need to exclude McAfee things from EMET (if that's even possible). 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

mlajoie
Level 10
Report Inappropriate Content
Message 3 of 4

Re: ScriptScan and EMET

Jump to solution

It seems I can't add an attachment.  Here's an event log entry, though:
Log Name: Application
Source: EMET
Date: 1/23/2019 8:09:34 AM
Event ID: 1
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: **********************
Description:
EMET version 5.52.6156.38092
EMET detected ASR mitigation in iexplore.exe

ASR check failed:
Application : C:\Program Files\Internet Explorer\iexplore.exe
User Name : *****\*****
Session ID : 5
PID : 0x272C (10028)
TID : 0x510 (1296)
Module : VBScript.dll

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EMET" />
<EventID Qualifiers="0">1</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-01-23T13:09:34.455895000Z" />
<EventRecordID>277904</EventRecordID>
<Channel>Application</Channel>
<Computer>**********************</Computer>
<Security />
</System>
<EventData>
<Data>EMET version 5.52.6156.38092
EMET detected ASR mitigation in iexplore.exe

ASR check failed:
Application : C:\Program Files\Internet Explorer\iexplore.exe
User Name : *****\*****

Session ID : 5
PID : 0x272C (10028)
TID : 0x510 (1296)
Module : VBScript.dll
</Data>
</EventData>
</Event>

We suspect that we'll have to make an exception in EMET but wanted to see if we could do something from the McAfee side as that's a whole lot easier.

 

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: ScriptScan and EMET

Jump to solution

@mlajoie Based on the log entry you've shared (and my very limited understanding of EMET's functionality after some very light Google search reading) it seems to me that EMET is oserving interaction with VBScript.dll when observing/scanning scripts within the IE. This likely falls into the overly sensitive realm of Attack Surface Reduction (ASR) mitigation because it is possible Malware could leverage this .dll.

EMET is designed specifically to stop attempts to run the VBScript extension when loaded in the Internet Explorer's Internet Zone. 
ScriptScan is a Browser Helper Object that examines JavaScript and VBScript code for malicious scripts before they execute. If the script is clean, it passes to JavaScript or VBScript for handling. If ScriptScan detects a malicious script, it blocks the script from executing.

NOTE: ScriptScan examines scripts for Internet Explorer only. It doesn't look at scripts system-wide and doesn't examine scripts run by wscript.exe or cscript.exe.

My interpretation is that it's going to be difficult to implement anything from the McAfee side as based on my interpretation of this messaging, it's not caused by McAfee scanning/monitoring EMET, but that it's EMET seeing what McAfee is doing in order to scan scripts then hand off to VBScript when it passes. (This could only be validated by examining a ProcMon capture of reproducing the issue and then doing a detailed review of EMET logs---which you would need to engage Microsoft for) If you're getting this messaging only when navigating to certain websites, you could implement a ScriptScan exclusion for what is being scanned at that time to avoid the triggering of EMET. Though I think it would be more likely you can effectively do this by excluding McAfee on the EMET side. It would also be the more secure solution, if you're wanting to take advantage of ScriptScan.

 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community