cancel
Showing results for 
Search instead for 
Did you mean: 

.LNK files, Suspicious Attachment!lnk

Jump to solution

Hello all,

I have received about 500 plus of these Suspicious Attachment!lnk alerts today all from different users. I have attached one below for reference. I want to believe that DAT Version 3075 just started picking up .LNK files as PUP (Potential Unwanted Program) events for whatever reason. Can I get conformation as to why? Is any other organization having/seeing this issue as well? Granted McAfee is deleting these files and when the user is emailing the attachment. In this case "District Complete Scorecard D3 Wk45.pdf" the file still sends so my email appliance doesn't see the file as malicious. As well, the file is still attached to the email and is received by the recipients.

Server ID:EPOLICY
Event Received Time:8/16/17 1:44:15 PM
Event Generated Time:8/16/17 1:43:41 PM
Agent GUID:***************************************
Detecting Prod ID (deprecated):ENDP_AM_1020
Detecting Product Name:McAfee Endpoint Security
Detecting Product Version:10.2.1.1133
Detecting Product Host Name:******-LAP2-W7
Detecting Product IPv4 Address:xxx.xxx.xxx.xxx
Detecting Product IP Address:xxx.xxx.xxx.xxx
Detecting Product MAC Address:*****************
DAT Version:3075.0
Engine Version:5900.7806
Threat Source Host Name:*****-LAP2-W7
Threat Source IPv4 Address:xxx.xxx.xxx.xxx
Threat Source IP Address:xxx.xxx.xxx.xxx
Threat Source MAC Address:
Threat Source User Name:
Threat Source Process Name:C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
Threat Source URL:
Threat Target Host Name:******-LAP2-W7
Threat Target IPv4 Address:xxx.xxx.xxx.xxx
Threat Target IP Address:xxx.xxx.xxx.xxx
Threat Target MAC Address:
Threat Target User Name:Domain\*****
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path:C:\Users\*****\AppData\Roaming\Microsoft\Office\Recent\District Complete Scorecard D3 Wk45.pdf.LNK
Event Category:Malware detected
Event ID:1027
Threat Severity:Critical
Threat Name:Suspicious Attachment!lnk
Threat Type:Potentially Unwanted Program
Action Taken:Delete
Threat Handled:True
Analyzer Detection Method:On-Access Scan

Events received from managed systems

Event Description:Malware deleted

Endpoint Security

Module Name:Threat Prevention
Analyzer Content Creation Date:8/16/17 8:00:00 AM
AMCore Content Version:3075.0
Analyzer McAfee GTI Query:No
Threat Detected On Creation:Yes
Target Hash:4c2d2b05d65434df8070fbff263b9d9b    (Ran this hash through VirusTotal and found nothing)
Target Name:District Complete Scorecard D3 Wk45.pdf.LNK
Target Path:C:\Users\******\AppData\Roaming\Microsoft\Office\Recent
Target File Size (Bytes):1192
Target Modify Time:8/16/17 1:43:41 PM
Target Access Time:8/16/17 1:43:41 PM
Target Create Time:8/16/17 1:43:41 PM
Cleanable:Yes
Task Name:On-Access Scan
First Attempted Action:Clean
First Action Status:Succeeded
Second Attempted Action:Delete
Second Action Status:Failed
Description:Domain\***** ran C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE, which tried to access C:\Users\*****AppData\Roaming\Microsoft\Office\Recent\District Complete Scorecard D3 Wk45.pdf.LNK. The Potentially Unwanted Program named Suspicious Attachment!lnk was detected and deleted.
Duration Before Detection (Days):0
Attack Vector Type:Local System

Thank you for your time,

-Brandon

1 Solution

Accepted Solutions

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

AM Core Content Version 3077 was released and has fixed the issue. So upgrade to 3077 and everyone should be good to go. I have confirmed within our environment that it is fixed and no longer reports any Suspicious Attachment!lnk instance.

Thank you all for your help.

View solution in original post

14 Replies

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

Good morning,

same here. Seems to be the actual DAT Version. Opened ticket.

Regards,

THeppner

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

Hi Brandon,

I'm seeing identical behaviour with AMCore Content 3075.  If you're able to then roll back to 3074 and purge the events from the ePO using a query and server task.

Regards,

Julian

pgajdek
Level 9
Report Inappropriate Content
Message 4 of 15

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

the download link for 3074 in case anyone need to import it into epo repository is

http://download.nai.com/products/datfiles/V3DAT/epoV3_3074.0dat.zip

after you injected it into master repository run replication and select assets and click Update, chose AMCORE and push it out to affected PC's

update:  seems that 3074 is having same issues, last working on our system was 3070.0

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

Hi,

ENS will also store the previous AMCore file so the easiest way to roll back using ePO is to assign a client task type Endpoint Security Threat Prevention / Roll Back AMCore Content with a Run Immediately schedule.  Alternatively from the endpoint ENS Console the user can select the drop-down menu and choose Roll Back AMCore Content.

Regards,

Julian

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

Im seeing this too.

Any official news from McAfee?

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

I've raised a support case and the issue has been recognised but no additional information currently.  My advise is skip 3075 and expect remediation in 3076 but would test first to ensure resolution.

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

I haven't submitted a ticket in regards to the matter. Seems that THeppner did though.

After some more testing, we found in our environment that the Suspicious Attachment!lnk comes from creating a new email with an attachment within outlook. However, if you drag and drop the file into the email it doesn't give off the Suspicious Attachment!lnk instance but if you use the "attach file" method it gives off the Suspicious Attachment!lnk instance.

Forwarding or replying did not create an instance either.

As for right now we are hoping that 3076 will remedy the issue. Hopefully they release it soon as I am tired of seeing all of these basically false positive events. If not, then we will roll back.

pgajdek
Level 9
Report Inappropriate Content
Message 9 of 15

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

most of our detection triggers came from "\Users\username\AppData\Roaming\Microsoft\Office\Recent"   everytime you attach a file, no matter what outlook creates lnk file refering to source file and store it in recent file section.   really stupid and annoying behavior.

temp exclusion of the source should cut down on alerts.. but that's not always good thing...

Reliable Contributor bretzeli
Reliable Contributor
Report Inappropriate Content
Message 10 of 15

Re: .LNK files, Suspicious Attachment!lnk

Jump to solution

Please also check following LINK regarding the MS Update which adresses .LNK Files.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community