cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

How to create an exception for Combofix

Jump to solution

Hi,

We use Mcafee on all computers in the city which is around 300. One of the tools we use when we are not sure that Mcafee has done a perfect job is Combofix. For a reason unknown, Combofix is now seen as a threat and blocked by Mcafee.

Is there a way I can put an exception in the EPO so the agent can push instructions to let it work?

thank you!

Dag

1 Solution

Accepted Solutions
Highlighted

Re: Re: How to create an exception for Combofix

Jump to solution

It depends if you have that policy being applied to all of your machines or just specific nodes in your system tree. It's not a big deal to lower it for testing or something. I wouldn't keep it at low or disabled permanently though.

Artemis is McAfee's global threat intelligence (GTI) service that works with selected McAfee products. Upon detecting a potential threat, McAfee GTI-enabled products query the GTI cloud, the cloud renders a response in the form of a reputation score or categorization information, and the product takes policy-based action in your environment.

View solution in original post

12 Replies
Highlighted

Re: How to create an exception for Combofix

Jump to solution

Is it being blocked via HIPS or VSE? Once you figure that out, you can create the needed exception/exclusion for HIPS or VSE and then it will work.

Logs for HIPS: C:\ProgramData\McAfee\Host Intrusion Prevention

Logs for VSE: C:\ProgramData\McAfee\DesktopProtection

Highlighted

Re: How to create an exception for Combofix

Jump to solution

OK,

HIPS is not in use so there is no folder related to that.

For VSE, the folder contains five log file:

AccessProtectionLog.txt

EmailOnDeliveryLog.txt

EmailOnDemandLog.txt

OnAccessScanLog.txt

UpdateLog.txt

So none of these fives files are specifying that any kind of virus related issues but if I go in on-access scan statistics, i can see it has been blocked. SO I know that VSE is blocking it.

What should be the next step for me?

have a nice day!

Highlighted

Re: How to create an exception for Combofix

Jump to solution

Cool, you got it narrowed down so now all you need to do is create the exception for it to prevent OAS from blocking it.

Within ePO, go to Menu > Policy > Policy Catalog

Then dropdown the Product for VirusScan Enterprise 8.8.0

From here you need to find the policy that is applied to the machines system tree node. This depends on how you have OAS setup also; whether your using one default processes policy, or if your categorizing them into high/low/default and using multiple policies. Figure out which one you are using.

Then from there, just open the policy, click the "exclusions" tab, change the "setting for" for either a workstation or server, and then drop the Combofix directory or file into that location.

Wake up the agents to get the new policy and test.

Highlighted

Re: How to create an exception for Combofix

Jump to solution

I found the information. Thank you fitch. There is one that is intriguing me.

here is the box to add a new exclusion. I took a look at the other exceptions and they point to a certain type of files (.pst in that case)  or a specific folder. How can I specify a single file called Combofix.exe?

Capture.PNG

I've logged in my virtual machine that does not have any antivirus so i was able to download combofix. I copied the file on the server and woof! he was removed on the server by a question of seconds. I wanted to start it to see if the antivirus would accept it after the download but better luck next time for me!

How can I create an exclusion for a single file?

Highlighted

Re: How to create an exception for Combofix

Jump to solution

So to create a exclusion for a single file, combofix.exe, just do this syntax:

*\Combofix.exe

That basically says exclude Combofix.exe from any directory that it is found within.

Save the policy, wake up your agent and make it get the new policy, then test and see if it is no longer blocked.

Highlighted

Re: How to create an exception for Combofix

Jump to solution

So I did like you showed me and it works! The only thing is that after the download Mcafee pops up this:

Capture.PNG

So now, mcafee let pass combofix.exe file but when it is on the computer it blocks it. How do I stop this from happening?

Dag

Highlighted

Re: How to create an exception for Combofix

Jump to solution

change your artemis to minimum sense.

Highlighted

Re: Re: How to create an exception for Combofix

Jump to solution

You just need to change the Artemis level within your VSE policy.

Go to Menu > Policy > Policy Catalog > VSE 8.8 > On-Acess General Policies

Find the policy that is being applied to the machines, open it.

Change the Artemis level to Low and see if it works, otherwise try it at very low or disabled for the time being.

Highlighted

Re: How to create an exception for Combofix

Jump to solution

Doing that, will I weaken the security parameters of the entire network? Is Artemis really useful or putting it to low level like that is not too risky?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community