cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

md5 hash added as a exclusion

hello team

 

we are in the process of adding more than 75 hash as MD5 to the ENS access protection, however after the list were added, the alerts in the dashboard started to pop-up, none relate to the blacklis added.

so we verify and validate all those hash in the alerts and found those  are ranked as a false positive. we added  a white list to the to the accessprotection to excluse some of those hashes, and still those alerts are showing up in the dashboard of the epo.

are this are misconfiguration or we trigger any other rule?

 

any hint?

help is appreciate

cordially

jose

 

7 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: md5 hash added as a exclusion

Hi @jespinoza18 (Jose),

Thank you for reporting the issue. Can you kindly check the timestamp of these events in ePO and confirm they are newer alerts? (Time stamp of Event generated time)

Also Can you confirm from the specific endpoint by opening the client UI and verifying that the events are being generated?

Can you help us with a sample event description along with a screenshot here?

Also it would be helpful to look into the corresponding MD5 exclusion you have added as well!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted

Re: md5 hash added as a exclusion

hi there,

 

the hash alert is very repetive, over and over again, the same source hash from the cscript.exe :

Source Process Hash:    b073f18d23be85799a640147af9aba99

and the process is:

Threat Target File Path: C:\Windows\Temp\invBF57_tmp\Sierra_multiPNP\Sierra_Inv.vbs

we include the source hash in a white list  in the access protection and a lot of alerts as a blocked appears on the dashboard still even today.

again we are missing something?

thanks

jose

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: md5 hash added as a exclusion

What exactly have you added as an exclusion. ENS can only exclude based on SOURCE and not TARGET.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: md5 hash added as a exclusion

hello There

 

we added a exclude list of source hash like : b073f18d23be85799a640147af9aba99

we didn't added target hash's  only source ones

cordially

jose

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: md5 hash added as a exclusion

so you have given a source process name and hash? Can you share a screenshot of the rule?

Highlighted

Re: md5 hash added as a exclusion

there you go

 

rules for hash.jpgrules for hash 01.jpg

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: md5 hash added as a exclusion

From what I see, you've created a rule entry to include these exclusions, this is not needed and won't work. Are you trying to add these hashes as exclusions from all rules? If yes, then you need to put them outside of each singular rule - on your second screenshot you see this at the top of the page. 

However if you are adding these to 1 specific rule, and are adding them as you are, then you need to remove the hash from the file name/ path field. If you add a file name + a hash, it needs to meet both of these criteria to be allowed.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community