cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

IPS Event 3829 Sticky Keys poqexec.exe on sethc.exe

I have been working with support on this and suspect it is a false positive. Basically the event is being triggered during windows updates. I am not sure exactly what part of the process triggers it, but it seemed like a good idea to ask the community of they see the same thing. This is with HIPS P15, although the patch level is probably not important. Anybody else out there getting these events? Note that I do not need feedback on these processes unless you can tell me exactly which part of the process is causing the trigger. Yes, we can add an exceptions, but it still triggers on new builds which do windows updates before they get the requisite HIPS policy from ePO.

5 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: IPS Event 3829 Sticky Keys poqexec.exe on sethc.exe

Hello,

Thank you for posting.

Please find the details of the Signature.

Signature name: Sticky Keys File Replacement Backdoor

Signature ID: 3829

General Signature Description
(Refer to KB article 51504 for details about supported platforms.) This event could indicate an attempt to exploit a vulnerability in the Microsoft Windows that could allow successful attackers to maintain access to confidential information. A successful exploit would allow a user with administrative permissions to no longer need a username or password to access the computer in the future.

Possible Signature Triggers
If you observe false positives for a particular application, you are advised to either lower the severity of this signature or create an exception for that application. If you observe signature triggers or false positives that should be mentioned in this section, please refer to KB67561 in the McAfee Knowledge Base. https://kc.mcafee.com/corporate/index?page=content&id=KB67561

So you can either disable the rule or lower the severity of the rule.

Let us know if you have any queries.

Regards,
Daya
Highlighted

Re: IPS Event 3829 Sticky Keys poqexec.exe on sethc.exe

Thanks but that was not really what I was asking for. I was asking for feedback from the community to see if anybody else had this. 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: IPS Event 3829 Sticky Keys poqexec.exe on sethc.exe

Hello,

 

Thank you for your reply.


To assist you further with the post I checked the known issues list of ENS and the issues reported by other customers.
I don't think the issue that you are facing is observed in other customers environment so only the known issues list is not updated with poqexec.exe

Refer to the below link for more information.
Endpoint Security 10.x Known Issues
Technical Articles ID: KB88788
https://kc.mcafee.com/corporate/index?page=content&id=KB82450

Let us know if you have any queries.

Regards,
Daya
Highlighted

Re: IPS Event 3829 Sticky Keys poqexec.exe on sethc.exe

Thanks for that. Perhaps it is the same thing but this is in the HIPS forum and I was hence referring not to ENS. I dare say many customers dont even notice these events, which is why I am asking them to check. As I inferred, I am not convinced many customers will read this post either, but it is always worth a try!

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: IPS Event 3829 Sticky Keys poqexec.exe on sethc.exe

Hello,

 

I also checked the known issues of HIPS but I couldn't find anything related to the query that you have posted.


https://kc.mcafee.com/corporate/index?page=content&id=KB69184
Host Intrusion Prevention 8.0 Known Issues
Technical Articles ID: KB69184

I will try to do some more research on this. But as a quick solution you can either disable the rule or reduce the severity of the rule and then update your windows.

 

Let us know if you have any queries.

Regards,
Daya
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community