cancel
Showing results for 
Search instead for 
Did you mean: 
foose
Level 9
Report Inappropriate Content
Message 1 of 8

When will VSE or ENS support Win10 & AMSI?

Jump to solution

Win10 & Server 2016 will provide an interface to scan for malicious scripts (ie Powershell)

Windows 10 to offer application developers new malware defenses – Microsoft Malware Protection Cente...

When will Viruscan Enterprise or Endpoint Security 10 support this?

2 Solutions

Accepted Solutions
McAfee Employee omfys
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution

Hello,

AMSI is supported by McAfee Endpoint Security 10.6.

It's not planned with VirusScan Enterprise.

Regards,
Olivier

Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution

Thanks Cara, you solved my issue!

 

If anyone else is wondering, yes, McAfee can provide you with files that can be used to test that your AMSI is properly configured and that any alerts you have setup via automated responses are also triggered properly.

 

Thanks,

Adam

7 Replies
McAfee Employee omfys
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution

Hello,

AMSI is supported by McAfee Endpoint Security 10.6.

It's not planned with VirusScan Enterprise.

Regards,
Olivier

Highlighted
Reliable Contributor bretzeli
Reliable Contributor
Report Inappropriate Content
Message 3 of 8

Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution

10.6 finall ist out. We migrated 4 of 35 smaller and 2 larger enterprise to 10.6. Internal in our development network where people have several Powershell scripts it already hit some false/Positive. If you have developer PC with a lot of tools, addons for different languages you may have to turn it off. Mainly when oyu update or install opensource tools with routines on Powershell on Windows 10.

At all around 15 developer clients and 2 (Two) false positive. One was from https://github.com/Maximus5/ConEmu/wiki/ConEmu. the other something they wrote theirself to setup MS SQL Servers at customer sites fully automatic.

With the regular customers no false Positive seen with the AMSI.

Read my links about AMSI and Powershell which are alwayws mentioned at Blackhat.

http://www.butsch.ch/post/Mcafee-Endpoint-Security-ENS-106-Release-news.aspx

 

Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution

I have a quick quesion on this topic - is there a way to test AMSI? I just setup some alerts in ePO for AMSI detections, but just wondered if there's an EICAR-esque test file that can be used to make sure the alerts are setup correctly?

I have Googled this but can't find a solution.

Thanks for any help you can give me.

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 5 of 8

Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution
We hardly SEE them in the AMSI Events (Seperate Category in Reports). We only had them BEFORE we activated MOST of the POWERSHELL IPS Rules. After the activation of the IPS Powershell rules we see the alerts under EXPLOIT PROTECTION.

So if oyu have most of the FILELESS AND POWERSHELL Exploit IPS Portection on THIS part of ENS will cpature the malware mostly BEFORE it even reaches the AMSI Module.

Name der Bedrohung: PS/Downloader!ams.e
Typ der Bedrohung: Trojaner
Erkennungsmethode des Analyseprogramms: AMSI
Ereignisbeschreibung: Sicherheitsverletzung beim Skript erkannt und durch AMSI blockiert
Endpoint Security
Modulname:Bedrohungsschutz
AMCore Content-Version: 3534.0
Quellenbeschreibung: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Ziel-Hash: c30fa58997cad2d4f18e91efcfb094fb
Task-Name: AMSIScan
Erste versuchte Aktion: Blockieren
Beschreibung:
hat den Vorgang 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ausgeführt. Die Bedrohung 'Trojaner' mit dem Namen 'PS/Downloader!ams.e' wurde erkannt und blockiert.


Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution

Thanks for your response, I will take a look at my ENS IPS rules.

Do you know if there is a test script that can be used to trigger an AMSI detection?

Thanks again,

Adam

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution
Hi Adam
I've reached out to you via email!
Best Regards
Cara
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: When will VSE or ENS support Win10 & AMSI?

Jump to solution

Thanks Cara, you solved my issue!

 

If anyone else is wondering, yes, McAfee can provide you with files that can be used to test that your AMSI is properly configured and that any alerts you have setup via automated responses are also triggered properly.

 

Thanks,

Adam

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator