I am in the process of rolling out ATP as part of my ENS10.6.1 implementation. My management team frequently asks me if “we are covered” for a particular threat… Kwampirs and the Sodinokibi / REvil Ransomware variant are examples of this.
Is there a particular site that documents the most current signification threats that exist and if the fix is available via a particular DAT version or standard / custom rule? I realize that I may be asking an almost impossible question, given the number of threats, etc. Is the best method simply to place a call to Technical Support if information cannot be obtained via a quick search? Information is often scattered, yet the McAfee Threat Dashboard is a good place to start:
https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard.html
For Kwampirs, I reached out to McAfee Technical Support and I was provided a list of (47) file hashes and a note that stated McAfee addressed DAT file protection for these known Hash values.
In regards to Sodinokibi Ransomware, I located the following excellent article and it appears that McAfee previously completed a thorough analysis on Sodinokibi Ransomware.
Thank you.
Solved! Go to Solution.
Hey Glenn,
You might check kc.mcafee.com and look at the McAfee Insights articles. They have a lot of coverage info, though I'm not sure if they cover these families.
For this, you also might consider a simple Expert Rule that blocks vssadmin with delete in the command line. This, and similar coverage for WMIC, would at least give you quick insight into if you're under attack, and block the vss deletion.
Dave
Hey Glenn,
You might check kc.mcafee.com and look at the McAfee Insights articles. They have a lot of coverage info, though I'm not sure if they cover these families.
For this, you also might consider a simple Expert Rule that blocks vssadmin with delete in the command line. This, and similar coverage for WMIC, would at least give you quick insight into if you're under attack, and block the vss deletion.
Dave
Thank you Dave. I will look into this. We have a meeting with McAfee today.
Much appreciated..
You talk about 10.6 please Migrate to 10.7 ASAP. By the way you have to Migrate to a NEW ENS Release EACH 2 MONTHS if you start complaining 😉 That's fine because in that way they catch up with evil.
Yes sometimes this is a little BIT strange. But that's simply because Mcafee want's to keep False/Positive rates down and low. All producers want that by the way. And the ONES (The new security) provider like Palo Alto (Traps) once smacked into a wall with some many False Positive because they though the are better....
The product itself SHOULD catch those things with a logic they have in ENS. But on the other hand the last few months NEWLY some EXPLOIT Rules for RYUK and other Ransomware got a separate NEW IPS Rule you have to activate special by hand.
Hi,
I'm just jumping in this threat as we have been impacted by the latest AKO ransomware version which destroys all snapshots, etc, and makes the device good for trash.
the rule of VSS is definitely a must-have in my opinion after this experience.
I've understood since then than McAfee requires manual access protection rules to be set in order to protect efficiently the computers. I thought there could be some kind of Library available for downloading/importing such rules?
Do you know if such a thing exists?
Besides VSS, is it any other protection rules that you would recommend?
D
Do you know if there is a sample of the initial infection vector, maybe on VirusTotal? Was it a maldoc? I'm happy to give you a rule that would protect against it and any similar attacks. I've asked McAfee repeatedly for a private, customer-only location where rules could be shared. If more customers ask maybe it will get traction.
I'm not going to post any advanced rules publicly because I don't want attackers to have access, but hit me up in PM and I can get it to you through other means.
Dave
May I ask. Did you have ENS 10.6 or 10.7 in place or was this even covered under a released DAT?
I realize that DATS cannot provide 100% assurance all of the time and I need to ficus my efforts on implementing Access Protection and Exploit Prevention Rules.
Thank you.
Thank you for your comments. I don't have McAfee IPS in place, so that is a mute issue. I am sure that we have some other type of IPS in place though. Upgrading every two months is not reasonable...given that I have a lot of managed devices and I need to ensure that the version I upgrade to is stable. Let's face it...there have been some version release issues and testing can take a while.
I may upgrade my DEV environment to 10.7...but I was waiting for the release of SP1.
Thank you.
Hello Glenn,
IPS is IN ENS 10.6/10.7 (Its inlcuded for free now=
Mcafee MADE VSE 8.8 + HIPS into 1 PRODUCT ENS.
(H)IPS is now in the ENS EXPLOIT Modul. You d'nt have so many IPS Filters like in the old HIPS prodcuts but they are groeing and you can make custom. Those are however Export rules and not often used because they are dangerous if you don't 100% fully understand the syntax and what it does.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA