We get TIE/ATP alerts that include information like this:
Threat Name: ATP/Suspect!5758be09c8d6
Offending File: SP2EUP.EXE
Source Process: C:\WINDOWS\SPLWOW64.EXE
This is a Sharp Printer Driver. I look up the file in the TIE Reputations, change it to "Known Trusted" but we'll continue to get DAC blocks unless we add a policy exclusion. What I have discovered is that ATP is also rating all the DLL's loaded with the PE32 file. So when I look in debug mode, I also see these files with an unknown reputation:
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EU.DLL reputation 50
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUD.DLL reputation 50
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.DLL reputation 50
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUSR.DLL reputation 50
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUPV7.DLL reputation 50
So I have to go back into the TIE Reputations and also update these DLL's as "Known Trusted" or whatever setting I want for the reputation so the PE32 is then allowed to execute outside of DAC. Is there a setting somewhere or is this DLL blocking information available without having to turn on DEBUG mode on the endpoint client?
I'm only getting that the EXE is contained when it's the DLL reputations that are responsible for the EXE containment.
We have the same problem with around 50 files out of 120'000. That does not seem a lot but it exact a Major app for an enterprise customer which changes every two week.
It's a real large application used in healtcare worlwide but seems to deploy with a CLickONCEinstaller so updates don't have to go trough change and release managment.
Yes you are correct FOR those files we need to exclude them from THE DAC Module with the ALERT we see like "JTI/*******" hard coded. Even when ALL of those files are ENTERPRISE TRUST set manual.
If that does not work we have to exclude the DIRECTORY or EXE add. from scanning at all.
Yes you are right thats complicated and costs of a lot of trouble shotting and our customer a lot of time and MONEY.
Yeah I know I'm in trouble when I see this:
08/16/2017 10:01:01.267 PM mfeatp(2112.5076) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1
08/16/2017 10:01:01.436 PM mfeatp(2112.7396) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE reputation 0 final 0 result 0x40300001 flags 0x0000000000000000 type: 1 connectivity: 0
08/16/2017 10:01:01.437 PM mfeatp(2112.7396) <SYSTEM> Orchestrator.Action.Debug: Non actionable reputation score(0) recieved for C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE
So I don't know if it is a comms thing but it just overrode what it isn't supposed to be able to override, my enterprise reputation score.
Here's the other lines bretzeli is talking about:
08/16/2017 04:23:45.555 PM mfeatp(2608.7416) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1
08/16/2017 04:23:45.721 PM mfeatp(2608.7416) <SYSTEM> Orchestrator.JTI.Debug: Process C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE JTI reputation 15 rule 234 threat name JTI/Suspect!65770 , JCM reputation 15, IsFinal 0
08/16/2017 04:23:45.722 PM mfeatp(2608.7416) <SYSTEM> Orchestrator.Action.Debug: Orchestrator finalizing reputation for C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE
08/16/2017 04:23:45.962 PM mfeatp(2608.7416) <SYSTEM> Orchestrator.DACSC.Activity: Application [C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE] with reputation 15 is contained by DAC Scanner
It just ignores my enterprise reputation. Maybe this is to stop injection type attacks, which I totally get, but dang man tell me why and what files so I can white list my good DLL's.