We use Mcafee on all computers in the city which is around 300. One of the tools we use when we are not sure that Mcafee has done a perfect job is Combofix. For a reason unknown, Combofix is now seen as a threat and blocked by Mcafee.
Is there a way I can put an exception in the EPO so the agent can push instructions to let it work?
Solved! Go to Solution.
It depends if you have that policy being applied to all of your machines or just specific nodes in your system tree. It's not a big deal to lower it for testing or something. I wouldn't keep it at low or disabled permanently though.
Artemis is McAfee's global threat intelligence (GTI) service that works with selected McAfee products. Upon detecting a potential threat, McAfee GTI-enabled products query the GTI cloud, the cloud renders a response in the form of a reputation score or categorization information, and the product takes policy-based action in your environment.
Is it being blocked via HIPS or VSE? Once you figure that out, you can create the needed exception/exclusion for HIPS or VSE and then it will work.
Logs for HIPS: C:\ProgramData\McAfee\Host Intrusion Prevention
Logs for VSE: C:\ProgramData\McAfee\DesktopProtection
HIPS is not in use so there is no folder related to that.
For VSE, the folder contains five log file:
So none of these fives files are specifying that any kind of virus related issues but if I go in on-access scan statistics, i can see it has been blocked. SO I know that VSE is blocking it.
What should be the next step for me?
have a nice day!
Cool, you got it narrowed down so now all you need to do is create the exception for it to prevent OAS from blocking it.
Within ePO, go to Menu > Policy > Policy Catalog
Then dropdown the Product for VirusScan Enterprise 8.8.0
From here you need to find the policy that is applied to the machines system tree node. This depends on how you have OAS setup also; whether your using one default processes policy, or if your categorizing them into high/low/default and using multiple policies. Figure out which one you are using.
Then from there, just open the policy, click the "exclusions" tab, change the "setting for" for either a workstation or server, and then drop the Combofix directory or file into that location.
Wake up the agents to get the new policy and test.
I found the information. Thank you fitch. There is one that is intriguing me.
here is the box to add a new exclusion. I took a look at the other exceptions and they point to a certain type of files (.pst in that case) or a specific folder. How can I specify a single file called Combofix.exe?
I've logged in my virtual machine that does not have any antivirus so i was able to download combofix. I copied the file on the server and woof! he was removed on the server by a question of seconds. I wanted to start it to see if the antivirus would accept it after the download but better luck next time for me!
How can I create an exclusion for a single file?
So to create a exclusion for a single file, combofix.exe, just do this syntax:
That basically says exclude Combofix.exe from any directory that it is found within.
Save the policy, wake up your agent and make it get the new policy, then test and see if it is no longer blocked.
So I did like you showed me and it works! The only thing is that after the download Mcafee pops up this:
So now, mcafee let pass combofix.exe file but when it is on the computer it blocks it. How do I stop this from happening?
You just need to change the Artemis level within your VSE policy.
Go to Menu > Policy > Policy Catalog > VSE 8.8 > On-Acess General Policies
Find the policy that is being applied to the machines, open it.
Change the Artemis level to Low and see if it works, otherwise try it at very low or disabled for the time being.