I am running ENS 107 with ATP /TIE and DXL. We are seeing that some of our internally developed PowerShell Scripts are being detected as “Known Malicious” by ATP and heuristics. My question is this please:
We have tried to add folder / file exclusions to our OAS Policy…that did not exclude the PowerShell file from being detected.
Would it be possible to add the Powershell script to TIE based on Hash Values and the set the reputation to Know Trusted? Would this local setting than take precedence?
The PowerShell scripts do not presently exist in the local TIE database, but they are being detected as Known Malicious.
The “Description ” info states: Adaptive Threat Protection would have repaired C:\Folder1\File.PS1 based on its reputation (Known Malicious), but didn't because Observe mode is enabled.
Interestingly enough, the final action is listed as: Adaptive Threat Protection Would Clean even though my DAC Policy is set to "Balanced Enabled" and my Options Policy is set to “Clean when reputation threshold reaches: Known Malicious.”
Analyzer Detection Method: Real Protect Client
Event Category: Malware detected using heuristics
Action Taken: Adaptive Threat Protection Would Clean.
Glad to talk to you again! Thank you for your very detailed post. May I request you for a sample detection name? While adding scripts to TIE reputation page and marking it as known trusted may not work for AMSI events, I have not tried it for RealProtect Event.
Excluding them from OAS may not be helpful as OAS can either exclude a process from being scanned or a file from being scanned when a process touches it.
Scripts on the other hand are files that are handled by script scanning technologies in the [product and we cannot exclude script interpreters from the OAS scanner.
We need to understand what part of the script is exactly triggering this detection. Can you help us with any more description of the vent? Do you see any Rule ID mentioned in the Event?
Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
While you could generate a hash and store a reputation within TIE server for that hash, the current implementations of ENS ATP would only ever query TIE server for reputations on PE files. Meaning the PS1 script you are working with would never actually be evaluated for reputation against TIE.
It seems like this is being detected by the RealProtect module of ENS. I would advise reaching out to that team for assistance in bypassing the detection.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.