cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Powershell Scripts and ATP

Hello

I am running ENS 107 with ATP /TIE and DXL. We are seeing that some of our internally developed PowerShell Scripts are being detected as “Known Malicious” by ATP and heuristics. My question is this please:

We have tried to add folder / file exclusions to our OAS Policy…that did not exclude the PowerShell file from being detected.

Would it be possible to add the Powershell script to TIE based on Hash Values and the set the reputation to Know Trusted? Would this local setting than take precedence?

 

The PowerShell scripts do not presently exist in the local TIE database, but they are being detected as Known Malicious.

The “Description ” info states: Adaptive Threat Protection would have repaired C:\Folder1\File.PS1 based on its reputation (Known Malicious), but didn't because Observe mode is enabled.

Interestingly enough, the final action is listed as: Adaptive Threat Protection Would Clean even though my DAC Policy is set to "Balanced Enabled" and my Options Policy is set to “Clean when reputation threshold reaches: Known Malicious.”

 

Analyzer Detection Method:   Real Protect Client

Event Category: Malware detected using heuristics

Action Taken:  Adaptive Threat Protection Would Clean.

Thank you very much.

2 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Powershell Scripts and ATP

Hi @Glenn_Bolton,

Glad to talk to you again! Thank you for your very detailed post. May I request you for a sample detection name? While adding scripts to TIE reputation page and marking it as known trusted may not work for AMSI events, I have not tried it for RealProtect Event.

Excluding them from OAS may not be helpful as OAS can either exclude a process from being scanned or a file from being scanned when a process touches it.

Scripts on the other hand are files that are handled by script scanning technologies in the [product and we cannot exclude script interpreters from the OAS scanner.

We need to understand what part of the script is exactly triggering this detection. Can you help us with any more description of the vent? Do you see any Rule ID mentioned in the Event?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Powershell Scripts and ATP

Hello Glenn_Bolton,

While you could generate a hash and store a reputation within TIE server for that hash, the current implementations of ENS ATP would only ever query TIE server for reputations on PE files. Meaning the PS1 script you are working with would never actually be evaluated for reputation against TIE.

It seems like this is being detected by the RealProtect module of ENS. I would advise reaching out to that team for assistance in bypassing the detection. 

Thanks

Brian

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community