I have received about 500 plus of these Suspicious Attachment!lnk alerts today all from different users. I have attached one below for reference. I want to believe that DAT Version 3075 just started picking up .LNK files as PUP (Potential Unwanted Program) events for whatever reason. Can I get conformation as to why? Is any other organization having/seeing this issue as well? Granted McAfee is deleting these files and when the user is emailing the attachment. In this case "District Complete Scorecard D3 Wk45.pdf" the file still sends so my email appliance doesn't see the file as malicious. As well, the file is still attached to the email and is received by the recipients.
Events received from managed systems
Thank you for your time,
Solved! Go to Solution.
AM Core Content Version 3077 was released and has fixed the issue. So upgrade to 3077 and everyone should be good to go. I have confirmed within our environment that it is fixed and no longer reports any Suspicious Attachment!lnk instance.
Thank you all for your help.
I'm seeing identical behaviour with AMCore Content 3075. If you're able to then roll back to 3074 and purge the events from the ePO using a query and server task.
the download link for 3074 in case anyone need to import it into epo repository is
after you injected it into master repository run replication and select assets and click Update, chose AMCORE and push it out to affected PC's
update: seems that 3074 is having same issues, last working on our system was 3070.0
ENS will also store the previous AMCore file so the easiest way to roll back using ePO is to assign a client task type Endpoint Security Threat Prevention / Roll Back AMCore Content with a Run Immediately schedule. Alternatively from the endpoint ENS Console the user can select the drop-down menu and choose Roll Back AMCore Content.
I've raised a support case and the issue has been recognised but no additional information currently. My advise is skip 3075 and expect remediation in 3076 but would test first to ensure resolution.
I haven't submitted a ticket in regards to the matter. Seems that THeppner did though.
After some more testing, we found in our environment that the Suspicious Attachment!lnk comes from creating a new email with an attachment within outlook. However, if you drag and drop the file into the email it doesn't give off the Suspicious Attachment!lnk instance but if you use the "attach file" method it gives off the Suspicious Attachment!lnk instance.
Forwarding or replying did not create an instance either.
As for right now we are hoping that 3076 will remedy the issue. Hopefully they release it soon as I am tired of seeing all of these basically false positive events. If not, then we will roll back.
most of our detection triggers came from "\Users\username\AppData\Roaming\Microsoft\Office\Recent" everytime you attach a file, no matter what outlook creates lnk file refering to source file and store it in recent file section. really stupid and annoying behavior.
temp exclusion of the source should cut down on alerts.. but that's not always good thing...