cancel
Showing results for 
Search instead for 
Did you mean: 
hbss_admin
Level 9

How to make an exception for *.vbs files

We have numerous systems that use C:\Windows\system32\cscript.exe to run *.vbs scripts used for system maintenance.  The *.vbs files get flagged by VSE threat name "Anti-spyware Maximum ProtectionSmiley Tonguerevent execution of scripts from the Temp folder" because the files run from a temp folder.

I don't want to exclude cscript.exe because of the obvious risks.

Is it possible to make exclusions in VSE based on "Threat Target File Path:" field (i.e. for specific *.vbs script names)? I can't seem to find a way to do it.

PG

0 Kudos
11 Replies
Don_Martin
Level 11

Re: How to make an exception for *.vbs files

Hello,

why don´t you try a definiton by this article? https://kc.mcafee.com/corporate/index?page=content&id=KB55139

I'm not sure if the policy "Deny execution of Files from Temp" will be outlined in this case but in a testenvironment I would give it a shot.

0 Kudos
mjmurra
Level 12

Re: How to make an exception for *.vbs files

I can't think of any way to do it natively. You either exclude cscript for all files from temp, or block it.

0 Kudos
rmetzger
Level 14

Re: How to make an exception for *.vbs files

hbss_admin wrote:

We have numerous systems that use C:\Windows\system32\cscript.exe to run *.vbs scripts used for system maintenance.  The *.vbs files get flagged by VSE threat name "Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder" because the files run from a temp folder.

I don't want to exclude cscript.exe because of the obvious risks.

Is it possible to make exclusions in VSE based on "Threat Target File Path:" field (i.e. for specific *.vbs script names)? I can't seem to find a way to do it.

Hi hbss_admin:

Well, it can be done but is highly discouraged as this would open the systems up to a great deal of malware.

**\mysoftware\*.vbs could be done.

A better approach would be to implement High-risk / Low-risk Processes and do the exclusion within the Low-risk processes. This will limit your exposure to just those processes / applications you define, yet maintains default or high-risk checks on all other processes, maintaining proper security as suggested in the Best Practices Guide for VSE 8.8.

Hope this is helpful.

Ron Metzger

0 Kudos
youngpae
Level 8

Re: How to make an exception for *.vbs files

@rmetzger

I have a question on your answer... I thought that you can only add <ProcessName.exe> or <full or partial path>\<processname>.exe on the Inclusion or exclusion for AP rules.

so are you saying we can add <FolderName>\ABC*.vbs on the AP Process Exclusion section???

I have similar situation that a legitimate software try to create C:\Windows\Temp\RADxxxx.tmp (VBScript file but with .tmp extension) and execute it with CSCRIPT.EXE and we have 1.5Million records per month.

I am also wondering if adding C:\Windows\Temp\RAD*.tmp to the High Risk OAS Exclusions would help or not. (CScript.exe is listed on High Risk OAS)

In the worst case, I was thinking about having a query called "False Positive events - Cannot be excluded" (with the Target File Path C:\Windows\Temp\RAD*.tmp) and create Server Task to run the query and purge it every day...

Thanks,

Young-

0 Kudos
rmetzger
Level 14

Re: How to make an exception for *.vbs files

youngpae wrote:

@rmetzger

I have a question on your answer... I thought that you can only add <ProcessName.exe> or <full or partial path>\<processname>.exe on the Inclusion or exclusion for AP rules.

so are you saying we can add <FolderName>\ABC*.vbs on the AP Process Exclusion section???

Yes, the very point of High/Low Risk Process Policies is to minimize the exclusions (openings or security holes) to specific processes, leaving every other process Without the exclusions (openings or security holes).

I would suggest a thorough read of:

McAfee KnowledgeBase - Understanding High-Risk, Low-Risk, and Default processes configuration and us...

McAfee KnowledgeBase - Understanding Exclusions in High-Risk/Low-Risk profiles

McAfee KnowledgeBase - How to create Low-Risk and High-Risk process exclusions in VirusScan Enterpri...

A lot of reading. Let us know of any additional resources we can provide in understanding High/Low risk process policies.

Hope this is helpful.

Ron Metzger

 

  

0 Kudos
youngpae
Level 8

Re: How to make an exception for *.vbs files

Hi @rmetzger

Thanks for your reply.

But as a (senior) ePO Admin for 12 years, I think I know enough about VSE OAS handling...

I was more asking about Access Protection's Process Inclusion and Exclusion with non-.EXE based file. (e.g. .VBS or .PS1, or .BAT)...

The reason why I ask the question was because I thought that it was impossible (e.g. you can add wscript.exe, cscript.exe, powershell.exe and/or cmd.exe to include or exclude not the actual script files...) With obvious reason, we cannot add those "potentially hostile" processes to included or excluded processes list and I was hoping that I can put some exceptional/legitimate scripts (.vbs, .ps1 and .bat with path) on exclusion so that I can avoid million's false positive events uploaded to ePO event database.

The following William Warren's blog is a must-read information to understand how VSE works:

https://community.mcafee.com/people/wwarren/blog

Thanks,

Young-

0 Kudos
rmetzger
Level 14

Re: How to make an exception for *.vbs files

youngpae wrote:

Hi @rmetzger

But as a (senior) ePO Admin for 12 years, I think I know enough about VSE OAS handling...

Sorry, no insult intended, as I cannot know your knowledge level or the knowledge level of those also reading these replies.

youngpae wrote:

I was more asking about Access Protection's Process Inclusion and Exclusion with non-.EXE based file. (e.g. .VBS or .PS1, or .BAT)...

The reason why I ask the question was because I thought that it was impossible (e.g. you can add wscript.exe, cscript.exe, powershell.exe and/or cmd.exe to include or exclude not the actual script files...) With obvious reason, we cannot add those "potentially hostile" processes to included or excluded processes list and I was hoping that I can put some exceptional/legitimate scripts (.vbs, .ps1 and .bat with path) on exclusion so that I can avoid million's false positive events uploaded to ePO event database.

The Process is an Exe file in your case, cscript.exe for .VBS files. The exclusion is for the (hopefully a static or easily restrictive path\filename) .vbs file which the process cscript.exe runs.

From McAfee KnowledgeBase - Understanding Exclusions in High-Risk/Low-Risk profiles

"If you add an exclusion to either the High-Risk or Low-Risk profile, it will be excluded from scanning only if it is being accessed by one of the processes/applications included in the list of processes defined in the corresponding profile. Therefore, the exclusion would not apply to processes and/or applications that would be scanned using the default profile."

cscript.exe is located in the High-Risk Process Policy. You are not excluding cscript.exe, rather excluding the .vbs of your choice. This should "avoid million's false positive events uploaded to ePO event database."

But for High/Low Risk Process Policies to work you will need to make some changes (from the VSE Console, please convert to the ePO equivalent):

On-Access Scan Properties -> All Processes -> Processes

     Select "Configure different scanning policies for high-risk, low-risk, and default processes."

If you had "Configure one scanning policy for all processes" this is a Major change and I would expect serious testing before implementing into production. But using High/Low Risk Process Policies enables far greater control over exclusions and performance while limiting the security exposure.

youngpae wrote:

The following William Warren's blog is a must-read information to understand how VSE works:

https://community.mcafee.com/people/wwarren/blog

Agreed, an excellent read.

Good Luck,

Ron Metzger

0 Kudos
youngpae
Level 8

Re: How to make an exception for *.vbs files

Thanks for your effort on explaining these.

However, I think we are talking 2 different things:

  • YOU: OAS (On-Access Scan) HighRisk/LowRik/DefaultProcess Exclusions (Signature based File Scan Engine) vs
  • ME: AP (Access Protection) Rules's Process Inclusion and Exclusion (mini HIPS engine)

I totally agree with everything you mentioned regarding On-Access Scan for sure.

But for my main focus is the Access Protection Rule - Prevent execution of scripts from the Temp folder (as an example), which keeps triggered for the legitimate cscript.exe activities (e.g. CSCRIPT.EXE C:\Windows\Temp\RADxxxx.vbs or RADxxxx.tmp) 1 million times per month.

Typically, if executable is unique enough (e.g. C:\AppPath\MyAppScript.exe C:\Windows\Temp\RADxxxx.vbs), I can simply add C:\AppPath\MyAppScript.exe to the "Excluded Process" list.

So far, as I know that I cannot add .vbs to the AP's Process Exclusion list, I have been using a ePO query Threat Target File Path like "C:\Windows\Temp\RAD*" and use Server Task to selectively purge it every day.

The only thing I didn't try is to add C:\Windows\Temp\RAD*.* to the OAS - High Risk - Exclusion list (hoping that this rule takes precedent over AP's Rule so I can avoid 1 million events per month.

So, the question comes down to... "Adding C:\Windows\Temp\RAD*.* on OAS - High Risk - Exclusion List would avoid false positive triggered by Access Protection Rule for the same C:\Windows\Temp\RAD*.* file executed by the process that cannot be excluded globally for a good security reason?

Thanks,

Young-

0 Kudos
rmetzger
Level 14

Re: How to make an exception for *.vbs files

VSE does not offer that feature in AP, For that you need to migrate to ENS 10.x.

Yes, we are talking about 2 different things, and I am suggesting a totally different approach to the problem using the available tools from the tool chest VSE provides.

VSE's AP rules are strict and rigid in what they allow and disallow, without the ability to put in exclusions.

However, you could loosen up in AP and tighten up in OAS to maintain a (not quite as) secure environment.

In your example, you would have to remove the AP rule and then hope for a tight enough set of rules in OAS using the High/Low Risk Process Profiles with the exclusion you mentioned to allow CScript to run scripts from the temp\ directory files RAD*.*.

You could simply set the AP rule to not report this, but you would lose visibility of illegitimate programs doing the same thing. (Or as you originally stated, you could try to run a query to remove the million / month reports from ePO database, but that seems like a great deal of work for your ePO server if this is a legitimate program, followed by even more work to remove these reports.)

As an aside:

What is the chance of getting this 'legitimate' program to relocate where they run from?

Thanks,

Ron Metzger

0 Kudos