cancel
Showing results for 
Search instead for 
Did you mean: 
BigMat
Level 7
Report Inappropriate Content
Message 1 of 12

endpoint security 10.5: adding exclusion for "critical" threat

I want to run a crypto currency mining programme on my computer (windows 10):

NsCpuCNMiner64.exe

endpoint's on-access scan reports the programme as a "critical" severity.

In the "on-access scan" advanced settings I  only see the option to add exclusions for standard/high/low risk.

How can I add an exclusion for "critical"?

Alternatively, can I downgrade the risk of NsCpuCNMiner64.exe to a lower level?

thanks

11 Replies
manika
Level 7
Report Inappropriate Content
Message 2 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

Can you please share the logs of detection?

BigMat
Level 7
Report Inappropriate Content
Message 3 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

hi,

 

Log is :

3/27/2018 5:47:13 PM mfetp(7700.8536) <SYSTEM> oasbl.OAS.Activity: Additional information:
3/27/2018 5:47:13 PM mfetp(7700.8536) <SYSTEM> oasbl.OAS.Activity: Primary Action: Clean
3/27/2018 5:47:13 PM mfetp(7700.8536) <SYSTEM> oasbl.OAS.Activity: Secondary Action: Delete
3/27/2018 5:47:13 PM mfetp(7700.8536) <SYSTEM> oasbl.OAS.Activity: Event ID: 1027
3/27/2018 5:52:32 PM mfetp(7700.8536) <SYSTEM> oasbl.OAS.Activity: ANONYMIZED\ANONYMIZED ran C:\Windows\System32\cmd.exe, which attempted to access C:\Users\matthieuh\Documents\testing\Claymore CryptoNote CPU Miner v3.8 - POOL\NsCpuCNMiner64.exe. The potentially unwanted program named W64/CoinMiner was detected and deleted.

But this is not relevant to my question.

I know Endpoint blocks NsCpuCNMiner64 but I want to run that program anyway. I don't care what Endpoint thinks of NsCpuCNMiner64. I make the conscious decision to use that programme and Endpoint should let me run it.

Cheers.

 

manika
Level 7
Report Inappropriate Content
Message 4 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

Please follow the below steps.

1.Endpoint Security Threat Prevention : Policy Category > On-Access Scan > My Default 

Add the process in exclusion  

Exclusions
ItemExclude SubfoldersRead/WriteNotes
 
Windows File Protection Modified {0} or more days ago Accessed {0} or more days ago Created {0} or more days ago All files of type {0} All files with no extensionYes No --read / write 


Overwrite exclusions configured on the client 

 

The policy here will be the policy applied to the machine. The exclusion can be tested locally as well.

Please let us know if it succeeds.

BigMat
Level 7
Report Inappropriate Content
Message 5 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

Hello,

 

before I can add an exclusion, I need to select a process type.

I have 3 options:

Standard, high risk and Low Risk. but my software is categorized as "critical".

I already added an exclusion in all three process type and it expectely didn't work.

I need a 4th process type: critical.

on access.png

 

Highlighted
manika
Level 7
Report Inappropriate Content
Message 6 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

Can you please try to uncheck the options-

 Detect unwanted program.

Detect unknown threat programs

 

And there is one more option you can add exclusion by detetcion name.

And then try and then share the results.

 

BigMat
Level 7
Report Inappropriate Content
Message 7 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

that could not possibly work (and it didn't)

"Detect unwanted program" and "Detect unknown threat programs" are process type specific settings.

 

The problem is that McAfee qualifies the programme as a "Critical" process type. But all the settings can only be used and changed for standard, high, low process types

The only way to run my program, so far, has been to disable on access scan.But that's a bad solution.

It's very annoying that mcafee doesn't let me make my own decision to run a specific programme.

I don't care whether mcafee think it's a threat or not. I know the risk and I make the informed decision to use that programme.. mcafee can warn me but it should not override my decision.

mcafee ought to offer exclusion list for all process types:

standard, high, low and critical

JayMan
Level 10
Report Inappropriate Content
Message 8 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

Assuming ENS works the same way as VSE...

When adding process exclusions, you setup 3 different scanning policy's based on High, Standard, Low risk level... So basically if you trust a process & do not want to scan anything it accesses, then you classify that as a Low risk & would set your Low risk policy to not scan on read or write...

 

BUT... for what i believe you are trying to achieve (i.e. don't have the .exe itself picked up as malicious) you just need to add a file exclusion for the exe file (or the directory it is running from if you like).

JayMan
Level 10
Report Inappropriate Content
Message 9 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

Like this...McAfee Exclusion.png

BigMat
Level 7
Report Inappropriate Content
Message 10 of 12

Re: endpoint security 10.5: adding exclusion for "critical" threat

Hi,

 

thanks for your input, your solution is what I tried the first time. but it doesn't work.

 

It seems that mcafee consider this file as a critical threat. Therefore, all the setting (exclusions...) that you can set for standard, high and low do not apply to a critical threat.

 

I tried other mining programme and Mcafee consistently assume they are critical threat. 

This is so annoying that Mcafee takes decision on my behalf without my consent.

I can perfectly understand that many malware use the same mining programme to their own benefit but they are also many people who mining software for their own benefit too.

Anyway, I've spent too much time on this and I will get rid of Mcafee asap. I'll try other solution (I tried AVG and it did let me create an exception for my mining programme)

Thanks to all for trying to help

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community