cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

ENS Exploit Prevention Exclusions - Process

Question about adding process exclusions for Exploit Prevention Illegal API rules. When adding a process exclusion for Illegal API use, the first section is for the process you want to exclude. When I look at the threat event I want to exclude, there is a Target Parent Process and a Target Process. Which one should I enter into the rule?

 

For example below, do I use powershell.exe or snowagent.exe?

 

Module Name: Threat Prevention Analyzer

Content Creation Date: 10/1/18 10:12:48 PM

Analyzer Content Version: 10.6.0.8701

Analyzer Rule ID: 6086

Analyzer Rule Name: Powershell Command Restriction - Command Source

Description: "C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -NONINTERACTIVE -NOPROFILE -COMMAND "& {FUNCTION RUN-SERVER() { PARAM([STRING]$H); $B = NEW-OBJECT BYTE[] 8; $P = NEW-OBJECT SYSTEM.IO.PIPES.ANONYMOUSPIPECLIENTSTREAM -ARGUMENTLIST @([SYSTEM.IO.P

Target Hash: a575a7610e5f003cc36df39e07c4ba7d

Target Signed: Yes Target

Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS

Target Parent Process Signed: Yes

Target Parent Process Signer: C=SE, S=STOCKHOLM COUNTY, L=SOLNA, O=SNOW SOFTWARE AB, CN=SNOW SOFTWARE AB

Target Parent Process Name: SNOWAGENT.EXE

Target Parent Process Hash: 7788333cc188d306772c357cc745daca

Target Name: POWERSHELL.EXE

Target Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0

Target File Size (Bytes): 443392

Target Modify Time: 12/8/16 4:34:22 PM

Target Access Time: 11/7/18 4:27:07 AM

Target Create Time: 11/7/18 4:27:07 AM API

Name: AtlComPtrAssign

First Action Status: Not available

Second Action Status: Not available

Description: ExP:Illegal API Use was detected as an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API. It wasn't blocked because Exploit Prevention was set to Report Only. Attack Vector Type: Local System

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community