cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 8
Report Inappropriate Content
Message 1 of 4

Unmanaged powershell and unmanaged powershell II rules

Hi,

We get a ton of false positives from ENS due to the unmanaged powershell and unmanaged powershell II rule. We don't really want to disable these rules because powershell is probably the #1 most exploited vector attackers use to attack windows hosts but we are now seeing false positives from native windows processes like COMPATTELRUNNER.EXE and RemoteFXvGPUDisablement.exe 

Each PC is running the RemoteFXvGPUDisablement.exe process every day so it's a ton of alerts and its creating chase burnout and making people non-vigilant.

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Unmanaged powershell and unmanaged powershell II rules

Thank you posting your question to our community, @enxl !

 

Are you seeing a ton of detection events by exploit prevention feature with signature ID 608x ?

Is there any trends?

 

You can exclude individual process from each sigunature ID.

This will reduce security risk comparing disabling the signature ID completely.

 

If it is difficult to determine, please raise a support ticket and contact us.

We will provide possible advice for this.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Unmanaged powershell and unmanaged powershell II rules

Hi @enxl ,

You can have them excluded for the rules, I have also attached a link below for your reference.

https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orch...

 

https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

 

Please do let me know if you have any questions. 

 

 

Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a solution" if this reply resolves your query!
Thanks and regards,
Deepak G
McAfee Technical Support
Highlighted
Level 8
Report Inappropriate Content
Message 4 of 4

Re: Unmanaged powershell and unmanaged powershell II rules

Hello,

It is the job of the security software to know whether something is actually malicious or not. So yes, you can create exclusions but that just makes your enterprise less safe. Also why can't you create an exclusion directly from the event notice? Why do you have to manually create exclusions? Ive been trying to create an exclusion that works for COMPATTELRUNNER.EXE and it just keeps notifying us about normal windows operations.

Why can't mcafee just do their job and update their rules themselves, since that is what we all are paying them to do?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community