cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

WhatFix powershell exclusion

Good day We need to create exclusions for the the below triggered EP event: Module Name: Threat Prevention Analyzer Content Version: 10.6.0.11598 Analyzer Rule ID: 6073 Analyzer Rule Name: Execution Policy Bypass in Powershell Source Description: "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -ExecutionPolicy Bypass "C:\WINDOWS\ccmcache\h\Whatfix-ExtensionInstall.ps1" Target Parent Process Name: WMIPRVSE.EXE Target Name: POWERSHELL.EXE Target Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0 API Name: AtlComPtrAssign Description: ExP:Illegal API Use was detected as an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API. It wasn't blocked because Exploit Prevention was set to Report Only. Attack Vector Type: Local System We've tried adding Whatfix-ExtensionInstall.ps1 as an exclusion but it did not work as the events are still noted. Has anyone dealt with this before? Any assistance or guidance is appreciated, thanks.
4 Replies
Tares1
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: WhatFix powershell exclusion

Hello @User39605433 

Thank you for reaching the support community.

This question has been answered on post:

https://community.mcafee.com/t5/Endpoint-Security-ENS/Exclusions-for-Exploit-Prevention/td-p/627636

 

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Tiago A

Re: WhatFix powershell exclusion

Hi there,

 

So in short, no, it can't be excluded? 

 

Post states you can't exclude based upon cmdline.

Tares1
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: WhatFix powershell exclusion

Tt can be excluded through an expert rule. Exclusions on exploit prevention are for the source and not the target, and since the source of this rule is the PowerShell process you would effectively be disabling the rule by excluding this process.

The target can be excluded when you set up your own expert rule, enabling you to create more accurate exclusions.

 

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Tiago A

Re: WhatFix powershell exclusion

Thank you for clarification, appreciate it. 

 

Any guidance or advise on how to configure the expert rule? 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community