cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

ENS Exploit Prevention Exclusions - Process

Question about adding process exclusions for Exploit Prevention Illegal API rules. When adding a process exclusion for Illegal API use, the first section is for the process you want to exclude. When I look at the threat event I want to exclude, there is a Target Parent Process and a Target Process. Which one should I enter into the rule?

 

For example below, do I use powershell.exe or snowagent.exe?

 

Module Name: Threat Prevention Analyzer

Content Creation Date: 10/1/18 10:12:48 PM

Analyzer Content Version: 10.6.0.8701

Analyzer Rule ID: 6086

Analyzer Rule Name: Powershell Command Restriction - Command Source

Description: "C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -NONINTERACTIVE -NOPROFILE -COMMAND "& {FUNCTION RUN-SERVER() { PARAM([STRING]$H); $B = NEW-OBJECT BYTE[] 8; $P = NEW-OBJECT SYSTEM.IO.PIPES.ANONYMOUSPIPECLIENTSTREAM -ARGUMENTLIST @([SYSTEM.IO.P

Target Hash: a575a7610e5f003cc36df39e07c4ba7d

Target Signed: Yes Target

Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS

Target Parent Process Signed: Yes

Target Parent Process Signer: C=SE, S=STOCKHOLM COUNTY, L=SOLNA, O=SNOW SOFTWARE AB, CN=SNOW SOFTWARE AB

Target Parent Process Name: SNOWAGENT.EXE

Target Parent Process Hash: 7788333cc188d306772c357cc745daca

Target Name: POWERSHELL.EXE

Target Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0

Target File Size (Bytes): 443392

Target Modify Time: 12/8/16 4:34:22 PM

Target Access Time: 11/7/18 4:27:07 AM

Target Create Time: 11/7/18 4:27:07 AM API

Name: AtlComPtrAssign

First Action Status: Not available

Second Action Status: Not available

Description: ExP:Illegal API Use was detected as an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API. It wasn't blocked because Exploit Prevention was set to Report Only. Attack Vector Type: Local System

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center