cancel
Showing results for 
Search instead for 
Did you mean: 
dawnaw
Level 7
Report Inappropriate Content
Message 1 of 11

Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Hello all ... I am wondering if anyone can guide me on how to test for this => Exploit Prevention - Hidden PowerShell Detected

This is recommended as a test case in the document ENS_10_5_Upgrade_Project%20Planning_Guide.pdf

Any help is appreciated

Thanks

3 Solutions

Accepted Solutions

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

2017-12-06 13_59_14-Endpoint Security 10.5 Upgrade Project Planning Guide - ENS_10_5_Upgrade_Project.png

Highlighted
krit
Level 10
Report Inappropriate Content
Message 6 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Dear @jess_arman,

 

Just to let you know that the issue has been resolved. FYI, host intrusion prevention had been installed on the endpoint, which rendered the exploit prevention module as disabled.

I removed host intrusion prevention and the test was successful afterwards.

Thanks.

Best Regards,

krit

 

 

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

To clarify, if Host IPS 8.0 functionality (IPS/FW) is enabled, this will override the ENS Exploit Prevention/FW functionality, even if the ENS ePO policy has it enabled.  For testing purposes, you can just disable the HIPS IPS/FW modules via ePO policy, enforce that policy locally on the system, and the ENS modules would take over.  This would allow you to switch back and forth as needed for testing, without having to continually remove/reinstall the HIPS product.  If HIPS and ENS are installed together, HIPS functionality takes precedence over ENS, until such time that you uninstall HIPS permanently and use ENS fully from that point on.

10 Replies
wouterr
Level 11
Report Inappropriate Content
Message 2 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

I would assume by executing some powershell code like "PowerShell.exe -windowstyle hidden { your script.. }"

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

2017-12-06 13_59_14-Endpoint Security 10.5 Upgrade Project Planning Guide - ENS_10_5_Upgrade_Project.png

krit
Level 10
Report Inappropriate Content
Message 4 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Dear rahulraju87,

I have followed the procedure you mention as taken from the ENS upgrade project planning guide document. I have performed the test in two different environments: 1) in my lab with an epo 5.10, ep agent 5.5 and ENS 10.6 on a windows 8.1 and the test was successfull and 2) in the customer's environment with an epo 5.9.1, ep agent 5.0.6 and ENS 10.5 on a windows 7 and the test was unsuccessfull; the attempt is not blocked plus no detection events are generated.

 

Any ideas why the test fails in the second occassion?

Thank you.

 

Best Regards,

 

krit

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

@krit It is possible that on the second system the rule is not enabled (either due to policy setting or issue with enforcement), the event ID could be suppressed, or there could be an issue with the integrity of the ENS installation itself where Exploit Prevention is not currently functional at "worst case scenario". We would need contextual data to even begin to speak further as not enough information is currently provided.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Highlighted
krit
Level 10
Report Inappropriate Content
Message 6 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Dear @jess_arman,

 

Just to let you know that the issue has been resolved. FYI, host intrusion prevention had been installed on the endpoint, which rendered the exploit prevention module as disabled.

I removed host intrusion prevention and the test was successful afterwards.

Thanks.

Best Regards,

krit

 

 

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 7 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

@krit Glad to hear it is resolved! The behavior definitely makes much more sense knowing that HIPS was in the picture. Thank you for closing the loop!

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

To clarify, if Host IPS 8.0 functionality (IPS/FW) is enabled, this will override the ENS Exploit Prevention/FW functionality, even if the ENS ePO policy has it enabled.  For testing purposes, you can just disable the HIPS IPS/FW modules via ePO policy, enforce that policy locally on the system, and the ENS modules would take over.  This would allow you to switch back and forth as needed for testing, without having to continually remove/reinstall the HIPS product.  If HIPS and ENS are installed together, HIPS functionality takes precedence over ENS, until such time that you uninstall HIPS permanently and use ENS fully from that point on.

krit
Level 10
Report Inappropriate Content
Message 9 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution

Dear ktankink,

 

Thank you for the clarification. The HIPS had remained in the endpoint as a product which was managed by another ePO of earlier version; the endpoint was transferred to a new ePO 5.9.1 without HIPS ( or VSE ) installed.

Thus we could not fine-tune the functionality of HIPS and ENS via policy. We removed HIPS with the Endpoint Product Removal tool, as HIPS is not needed anymore. Nevertheless, it is a good tip to know for future cases.

 

Thank you.

Best Regards,

krit

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 10 of 11

Re: Testing for Exploit Prevention - Hidden PowerShell Detected - How to Perform Test

Jump to solution
Wow nice explained. Is that from a manual from Mcafee? Thats how stuff should be explained and customers understand. There are three other Forum Threads where they Ping Pong on about how to test it. This would havê been the solution. Well done.
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community