cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
McADOC1
Level 7
Report Inappropriate Content
Message 1 of 9

how do i setup exploit prevention to not check a sub process

Hi,

I am setting up a report/block for powershell  in exploit prevention [ens 10.6; ePO 5.9.1].

i follow this document as a guide

https://community.mcafee.com/docs/DOC-10292.

'Monitor PowerShell Parameter Usage Access Protection Rule' p.12

The process works and reports as it should.  

i have a app that is launched from powershell.  basically powershell kicks off a sub executable.

is there a way i can exclude that sub executable from being repoted/blocked?  see attached.

 

thanks for any input.

 

McAfee ePolicy Orchestrator  McAfee Endpoint Security 

8 Replies
McADOC1
Level 7
Report Inappropriate Content
Message 2 of 9

Re: how do i setup exploit prevention to not check a sub process

attachment.

Re: how do i setup exploit prevention to not check a sub process

Without looking at the rule you are using, I think the problem with the rule you're using is that you're only protected if PowerShell has a child process.  What if it doesn't?  

I would do something more like this:

 

 

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match PROCESS {
			Include OBJECT_NAME {
				-v "powershell.exe"
				-v "pwsh.exe"
			}
			Include PROCESS_CMD_LINE {
				#Not sure what you're wanting to block.. assuming below based upon your event
				-v "**bypass**"
				#some other good things
				-v "**-en **"
				-v "**-enc**"
				-v "**iex**"
			}
			Exclude PROCESS_CMD_LINE {
				#allowing your script to work
				-v "**zen_executeRunscript_????_*.ps1\""
			}
                        Include -access "CREATE"
		}
	}
}

 

McADOC1
Level 7
Report Inappropriate Content
Message 4 of 9

Re: how do i setup exploit prevention to not check a sub process

thank you for the follow up.

i am not looking to block any.  I am looking to only report on all powershell except for a few known specific, such as the zen one.

we will block by other methods.

when you have a moment, please clarify what the '#some other good things' are?

Thanks.

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 9

Re: how do i setup exploit prevention to not check a sub process

Hello,

Thank you for posting on the Mcafee community.

Exploit Prevention exclusions and how they work
https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orch...

Exclude processes from Exploit Prevention
https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orch...

Create exclusions from Exploit Prevention events
https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

Excluding items from Exploit Prevention
https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

I hope this helps, let me know if you have any queries.

Re: how do i setup exploit prevention to not check a sub process

By "some other good things," I meant good things to monitor for.  But if you want to watch for everything, just remove the whole "Include PROCESS_CMD_LINE" section, and then you will capture everything other than what is in the "Exclude PROCESS_CMD_LINE" section.

McADOC1
Level 7
Report Inappropriate Content
Message 7 of 9

Re: how do i setup exploit prevention to not check a sub process

thank you for the follow ups.

i will work through these to see if i can get something to work...meaning reports all except for what is trusted or excluded.

i will take another look at reports > exploit prevention to see if i can get success that way.  thanks.

Daveb3d, thanks for the start of the expert rule.  If i use that, i would need to turn off the analyzer id's i enabled in my exploit prevention policy - is that correct?

a clarification question I have, many docs reference a caller process.  it is not clear in the mcafee incident which one it is referencing.  in my above pic [message 2] is the caller process the api name, powershell or 'Target Parent Process Name'?

Thanks again.

Re: how do i setup exploit prevention to not check a sub process

You wouldn't need to turn other rules off, but you might get some duplication.

The caller, i believe, is the parent. I think your rule had PowerShell as this, but mine was whatever spawned PowerShell.  

Dave

McADOC1
Level 7
Report Inappropriate Content
Message 9 of 9

Re: how do i setup exploit prevention to not check a sub process

sorry for the delay.  still working on this as time permits.

i have been trying to explore the expert rules.  i still get that sub process generating an alert.

i will look more at it as i am also trying to encompass the exploit prevention powershell id's into expert rule.

i will touch base soon.  thanks for the guidance.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community