cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
dawnaw
Level 7
Report Inappropriate Content
Message 1 of 9

Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Hello all ... I am wondering if anyone can guide me on how to test for this => Exploit Prevention - Hidden PowerShell Detected

This is recommended as a test case in the document ENS_10_5_Upgrade_Project%20Planning_Guide.pdf

Any help is appreciated

Thanks

2 Solutions

Accepted Solutions

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

2017-12-06 13_59_14-Endpoint Security 10.5 Upgrade Project Planning Guide - ENS_10_5_Upgrade_Project.png

krit
Level 9
Report Inappropriate Content
Message 6 of 9

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Dear @jess_arman,

 

Just to let you know that the issue has been resolved. FYI, host intrusion prevention had been installed on the endpoint, which rendered the exploit prevention module as disabled.

I removed host intrusion prevention and the test was successful afterwards.

Thanks.

Best Regards,

krit

 

 

8 Replies
wouterr
Level 10
Report Inappropriate Content
Message 2 of 9

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

I would assume by executing some powershell code like "PowerShell.exe -windowstyle hidden { your script.. }"

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

2017-12-06 13_59_14-Endpoint Security 10.5 Upgrade Project Planning Guide - ENS_10_5_Upgrade_Project.png

krit
Level 9
Report Inappropriate Content
Message 4 of 9

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Dear rahulraju87,

I have followed the procedure you mention as taken from the ENS upgrade project planning guide document. I have performed the test in two different environments: 1) in my lab with an epo 5.10, ep agent 5.5 and ENS 10.6 on a windows 8.1 and the test was successfull and 2) in the customer's environment with an epo 5.9.1, ep agent 5.0.6 and ENS 10.5 on a windows 7 and the test was unsuccessfull; the attempt is not blocked plus no detection events are generated.

 

Any ideas why the test fails in the second occassion?

Thank you.

 

Best Regards,

 

krit

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

@krit It is possible that on the second system the rule is not enabled (either due to policy setting or issue with enforcement), the event ID could be suppressed, or there could be an issue with the integrity of the ENS installation itself where Exploit Prevention is not currently functional at "worst case scenario". We would need contextual data to even begin to speak further as not enough information is currently provided.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

krit
Level 9
Report Inappropriate Content
Message 6 of 9

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Dear @jess_arman,

 

Just to let you know that the issue has been resolved. FYI, host intrusion prevention had been installed on the endpoint, which rendered the exploit prevention module as disabled.

I removed host intrusion prevention and the test was successful afterwards.

Thanks.

Best Regards,

krit

 

 

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

@krit Glad to hear it is resolved! The behavior definitely makes much more sense knowing that HIPS was in the picture. Thank you for closing the loop!

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

To clarify, if Host IPS 8.0 functionality (IPS/FW) is enabled, this will override the ENS Exploit Prevention/FW functionality, even if the ENS ePO policy has it enabled.  For testing purposes, you can just disable the HIPS IPS/FW modules via ePO policy, enforce that policy locally on the system, and the ENS modules would take over.  This would allow you to switch back and forth as needed for testing, without having to continually remove/reinstall the HIPS product.  If HIPS and ENS are installed together, HIPS functionality takes precedence over ENS, until such time that you uninstall HIPS permanently and use ENS fully from that point on.

krit
Level 9
Report Inappropriate Content
Message 9 of 9

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Dear ktankink,

 

Thank you for the clarification. The HIPS had remained in the endpoint as a product which was managed by another ePO of earlier version; the endpoint was transferred to a new ePO 5.9.1 without HIPS ( or VSE ) installed.

Thus we could not fine-tune the functionality of HIPS and ENS via policy. We removed HIPS with the Endpoint Product Removal tool, as HIPS is not needed anymore. Nevertheless, it is a good tip to know for future cases.

 

Thank you.

Best Regards,

krit