cancel
Showing results for 
Search instead for 
Did you mean: 

wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Hello

Currently my EPO detected a threat source process -  "wscript.exe" and threat name "Antispyware Maximum protection:Prevention execution of scripts from Temp Folder".

But from what I readt, wscript.exe is a valid windows program, thus was wondering whats the issue here and how to resolve i

Any suggestions will be helpful.

Thanks

Rgs
Alan Tan

9 Replies

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Moved from Community Help provisionally to Business >  ePO 4.6 for better attention.

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Cscript and script will always she as the source for this AP rule, that is by nature..

That rule is not one to enforce for day to day use (in my opinion), too many legit processes will trigger that rule.  Hence the name Maximum Protection. 

Unless you want to completely lock down systems and or upset users.

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Hi

thks.

But just wondering for this rule in EPO, what should be done to ensure it avoids false detections? (if this possible)

For this example wscript.exe, any way to confirm its a legit process not some spyware / malware?

Rgs
Alan

Highlighted

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Not that I am aware of.  Best way to avoid false detections is to disable or leave in report only.  This would not be a good single IOC, but may help in reverse engineering an infection if one wanted to back track events. 

It's a very simple rule with little to no tuning available.

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Hi  thanks..

btw was lookiing at Access control logs and following is seen:

16/4/2014          9:13:47 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Windows\System32\wscript.exe          C:\Windows\Temp\CabF2B7.tmp          Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder          Action blocked : Read

16/4/2014          9:13:47 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Windows\System32\wscript.exe          C:\Windows\Temp\TarF2B8.tmp          Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder          Action blocked : Read

16/4/2014          9:14:19 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Windows\System32\wscript.exe          C:\Windows\Temp\Cab707D.tmp          Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder          Action blocked : Read

16/4/2014          9:14:19 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Windows\System32\wscript.exe          C:\Windows\Temp\Tar707E.tmp          Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder          Action blocked : Read

16/4/2014          9:15:05 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Windows\System32\wscript.exe          C:\Windows\Temp\Cab272F.tmp          Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder          Action blocked : Read

16/4/2014          9:15:05 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Windows\System32\wscript.exe          C:\Windows\Temp\Tar2730.tmp          Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder          Action blocked : Read

Strangely But I could not locate those files in the Temp folder of the PC  (Tar2730.tmp ). Any idea why this is so? Is it a sign of malware??

Alan Tan

Rgs
A

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Again, this rule us not a valid IOC; the files are not there since most temp files purge themselves post execution.

Is this system infected?  Cannot say by these events only, life is not that simple.

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Hi


Thanks..

1. any suggestion we can find out the cause of  this wscript.exe trigger?
     will review event logs of the system later as this is triggered.

2. For IOC (indicators of compromise), is there rules I can use for this case?

Any ideas will be appreciated :-)?

Rgs
Alan Tan

epriest
Level 7
Report Inappropriate Content
Message 9 of 10

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

For sources of the trigger I would suggest looking at Group Policies (assuming you are using them). Such as logon scripts etc...

Regards,


Eddie.

Re: wscript.exe [Antispyware Maximum protection:Prevention execution of scripts from Temp Folder]

Hello...

as a follow up & update , this wcript item is apparently due to Windows CAP12 error. Once I cleared Windows CAP12 error via a windows fix, this access protection notification for wscript.exe is no longer observed.

Rgs

Alan Tan

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community