cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

User Name:system
Priority:Medium
Action:Run External Command
Details:Command completed [Event Type: epoThreatEvent] [Command: Python27 C:\Python27\convicter.py BF1A386C-2335-11E6-0C49-00221503D1F0 "D:\DOWNLOADS\TIESAMPLES\ARTEMIS-UNKNOWN-ALLSL.EXE" 5 2] [Return Code: 0] [Output: Process exited normally.]
Success:Succeeded
Highlighted

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

I have the same problem than sergey.obidin the audit logs are OK but the script is not launched. Any ideas?

Thanks.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 43 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi all,

there are often two troubles.

- the user account used for the registered executeable has to logon at least one time in windows

- UAC must be disabled.


Take a look at the windows application log if there is an entry where python crashes.


Cheers

Highlighted

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Thanks for the answer.

The user is loca admin and he have done logon in the ePO Server.

UAC is disabled.

In the application log python crashes! Do you know why?.

Faulting application name: python.exe, version: 0.0.0.0, time stamp: 0x4f84a6c8

Faulting module name: KERNELBASE.dll, version: 6.3.9600.18233, time stamp: 0x56bb4e1d

Exception code: 0xc0000142

Fault offset: 0x0009d3c2

Faulting process id: 0x7f8

Faulting application start time: 0x01d212617e1cb417

Faulting application path: c:\python\python.exe

Faulting module path: KERNELBASE.dll

Report Id: bbdeb000-7e54-11e6-80c8-00505698d94d

Faulting package full name:

Faulting package-relative application ID:

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 45 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi,

does the user, used for the registered executable, has a locally stored profile and has the access rights "logon as a batch job"?

Cheers

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Yes, is the same user (local admin with "logon as a batch job" privilege).

Highlighted

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

First of all, this is a really nice usage of several ePO and TIE features ​ Thank you for the idea. My question is, whether there is a chance to automate the conviction without displaying the user notification. In many environments these notifications are not acceptable, on the other hand the added value of conviction is much desired.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 48 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi ​,

what user notification you mean?? A notification done by the TIE Module for VSE or Threat Intelligence Module for ENS?

So, you can configure it showing no message to the user.

EPO queries VT based on TIE!Suspect Events.

Finally, you can use this cool stuff without any info to the user.

Cheers

Highlighted

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Script is great, shows the potential of TIE and ePO API in a very good way.

Could you put this to github? There is a lot of potential in improving this through community effort, which is hard to achieve in these forums.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 50 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Well i have doubt in that IF this would be any helpfull these days....

* Main GOAL and business driver would be to prevent ransomware

* TIE will have it's sets and IF unsure will ASK the ATD-Sandbox

Whenever we had malicious code which dropped through "Other Brand" IPS/SPAM Filter > We did check any of those Files, Loaderfiles in VIRUSTOTAL. None of them due 0day where detected at the time

the malicious for hit our customer infrastrcuture.

So AVOIDING the pricy Sandbox by using the Virustotal API and some scripts may not be the solution.

If Virustotal sees no MALWARE and then BASSED on that you set the file to RUN you did all for nothing?

You can still use this option as additional source for your rating but i doubt you should use it to decide automatic if a file should run or not.

By the way the last 12 code we analysed in different sandboxes all turned via Scripts, CMD.EXE or Powershell and with stuff like Embedded OLE Objects.

The ATD does not CLick on the Embedded Object in WInword and it passed it. Same goes for the Fortinet Sandbox.

When can we see the RESTLY File Extension formats integrated in TIE<>ATD together? Anybody have a date?

All agree?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community