|Action:||Run External Command|
|Details:||Command completed [Event Type: epoThreatEvent] [Command: Python27 C:\Python27\convicter.py BF1A386C-2335-11E6-0C49-00221503D1F0 "D:\DOWNLOADS\TIESAMPLES\ARTEMIS-UNKNOWN-ALLSL.EXE" 5 2] [Return Code: 0] [Output: Process exited normally.]|
there are often two troubles.
- the user account used for the registered executeable has to logon at least one time in windows
- UAC must be disabled.
Take a look at the windows application log if there is an entry where python crashes.
Thanks for the answer.
The user is loca admin and he have done logon in the ePO Server.
UAC is disabled.
In the application log python crashes! Do you know why?.
Faulting application name: python.exe, version: 0.0.0.0, time stamp: 0x4f84a6c8
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18233, time stamp: 0x56bb4e1d
Exception code: 0xc0000142
Fault offset: 0x0009d3c2
Faulting process id: 0x7f8
Faulting application start time: 0x01d212617e1cb417
Faulting application path: c:\python\python.exe
Faulting module path: KERNELBASE.dll
Report Id: bbdeb000-7e54-11e6-80c8-00505698d94d
Faulting package full name:
Faulting package-relative application ID:
does the user, used for the registered executable, has a locally stored profile and has the access rights "logon as a batch job"?
First of all, this is a really nice usage of several ePO and TIE features Thank you for the idea. My question is, whether there is a chance to automate the conviction without displaying the user notification. In many environments these notifications are not acceptable, on the other hand the added value of conviction is much desired.
Script is great, shows the potential of TIE and ePO API in a very good way.
Could you put this to github? There is a lot of potential in improving this through community effort, which is hard to achieve in these forums.
Well i have doubt in that IF this would be any helpfull these days....
* Main GOAL and business driver would be to prevent ransomware
* TIE will have it's sets and IF unsure will ASK the ATD-Sandbox
Whenever we had malicious code which dropped through "Other Brand" IPS/SPAM Filter > We did check any of those Files, Loaderfiles in VIRUSTOTAL. None of them due 0day where detected at the time
the malicious for hit our customer infrastrcuture.
So AVOIDING the pricy Sandbox by using the Virustotal API and some scripts may not be the solution.
If Virustotal sees no MALWARE and then BASSED on that you set the file to RUN you did all for nothing?
You can still use this option as additional source for your rating but i doubt you should use it to decide automatic if a file should run or not.
By the way the last 12 code we analysed in different sandboxes all turned via Scripts, CMD.EXE or Powershell and with stuff like Embedded OLE Objects.
The ATD does not CLick on the Embedded Object in WInword and it passed it. Same goes for the Fortinet Sandbox.
When can we see the RESTLY File Extension formats integrated in TIE<>ATD together? Anybody have a date?