cancel
Showing results for 
Search instead for 
Did you mean: 

Reducing false positive from ENS

Jump to solution

Hi there.

For example, I'm a security analyst.

And I see this 24k alerts from "Web Control - Protect plug-in registry keys and values".

HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\11991
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\11991
HKLM\SOFTWARE\GOOGLE\CHROME\NATIVEMESSAGINGHOSTS\SITEADVISOR.MCAFEE.CHROME.EXTENSION\204
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\ENABLE BROWSER EXTENSIONS\30
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXT\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\28
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXT\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\14
HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\JJKCHPDMJJDMALGEMBBLGAFLLBPCJLEI\4
HKLM\SOFTWARE\CLASSES\PROTOCOLS\HANDLER\DSSREQUEST\4
HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\NATIVEMESSAGINGHOSTS\SITEADVISOR.MCAFEE.CHROME.EXTENSION\4
HKLM\SOFTWARE\CLASSES\PROTOCOLS\HANDLER\SACORE\4

 

I'm sure on 99% that this is false positive. But 1% tell me that I need to check it before excluding. How to check it? How to understand what those registries are responsibilities? 

2 Solutions

Accepted Solutions
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Reducing false positive from ENS

Jump to solution

Hello,

I did some research and I found these registries in those places:

 

Articles regarding first two keys:

https://kc.mcafee.com/corporate/index?page=content&id=KB67500

https://kc.mcafee.com/corporate/index?page=content&id=KB87208

 

Third one:

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho]
"path"="C:\\Program Files (x86)\\McAfee\\SiteAdvisor\\McChPlg.crx"
"version"="1.02.187.2"
"update_url"="http://clients2.google.com/service/update2/crx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts]
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts\siteadvisor.mcafee.chrome.extension]
@="C:\\Program Files (x86)\\McAfee\\SiteAdvisor\\siteadvisor.mcafee.chrome.extension.json"

source: https://portableapps.com/node/54110

 

Fourth:

https://support.microsoft.com/en-us/help/298931/how-to-disable-third-party-tool-bands-and-browser-he...

 

Fifth and sixth:

https://support.microsoft.com/en-my/help/883256/how-to-manage-internet-explorer-add-ons-in-windows-x...

https://kc.mcafee.com/corporate/index?page=content&id=KB79933

 

Seventh:

https://kc.mcafee.com/corporate/index?page=content&id=KB87568

 

Eight:

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

source: https://community.mcafee.com/t5/VirusScan/Losing-a-bit-of-free-space-on-HDD-day-by-day-Is-this-relat...

 

Nineth:

Similar to 3rd one but in 64bit environment

 

Tenth:

https://community.mcafee.com/t5/WebAdvisor/SiteAdvisor-defect-causes-temporary-files-to-be-abandoned...

 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
Highlighted
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Reducing false positive from ENS

Jump to solution

Hi,

Unfortunately I am not aware of any full database and probably Microsoft do not want to share it.

I found these resourcers which could be helpful or at least a starting point:

Forensicswiki:

https://www.forensicswiki.org/wiki/Windows_Registry#Internet_Explorer

Public version of Microsoft Windows Registry Guide:

https://the-eye.eu/public/Books/IT%20Various/Microsoft%20Windows%20Registry%20Guide%2C%202nd%20Editi...

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
3 Replies
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Reducing false positive from ENS

Jump to solution

Hello,

I did some research and I found these registries in those places:

 

Articles regarding first two keys:

https://kc.mcafee.com/corporate/index?page=content&id=KB67500

https://kc.mcafee.com/corporate/index?page=content&id=KB87208

 

Third one:

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho]
"path"="C:\\Program Files (x86)\\McAfee\\SiteAdvisor\\McChPlg.crx"
"version"="1.02.187.2"
"update_url"="http://clients2.google.com/service/update2/crx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts]
[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts\siteadvisor.mcafee.chrome.extension]
@="C:\\Program Files (x86)\\McAfee\\SiteAdvisor\\siteadvisor.mcafee.chrome.extension.json"

source: https://portableapps.com/node/54110

 

Fourth:

https://support.microsoft.com/en-us/help/298931/how-to-disable-third-party-tool-bands-and-browser-he...

 

Fifth and sixth:

https://support.microsoft.com/en-my/help/883256/how-to-manage-internet-explorer-add-ons-in-windows-x...

https://kc.mcafee.com/corporate/index?page=content&id=KB79933

 

Seventh:

https://kc.mcafee.com/corporate/index?page=content&id=KB87568

 

Eight:

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

source: https://community.mcafee.com/t5/VirusScan/Losing-a-bit-of-free-space-on-HDD-day-by-day-Is-this-relat...

 

Nineth:

Similar to 3rd one but in 64bit environment

 

Tenth:

https://community.mcafee.com/t5/WebAdvisor/SiteAdvisor-defect-causes-temporary-files-to-be-abandoned...

 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino

Re: Reducing false positive from ENS

Jump to solution

Cool, thank you! To be honest, I thought nobody will answer, hehe.

Some of this information I found too. 

Do you know, there is any Wiki or encyclopedia about all registries of Windows? 

Highlighted
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Reducing false positive from ENS

Jump to solution

Hi,

Unfortunately I am not aware of any full database and probably Microsoft do not want to share it.

I found these resourcers which could be helpful or at least a starting point:

Forensicswiki:

https://www.forensicswiki.org/wiki/Windows_Registry#Internet_Explorer

Public version of Microsoft Windows Registry Guide:

https://the-eye.eu/public/Books/IT%20Various/Microsoft%20Windows%20Registry%20Guide%2C%202nd%20Editi...

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino