1 2 Previous Next 10 Replies Latest reply on Oct 2, 2017 1:19 PM by nn82450

    TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend

    bretzeli

      Had to take down TIE two days before WANNACRYPT because TIE false detects Microsoft Framework Assemblies!

       

       

       

      Hello,

       

      We had this before and Mcafee adressed this with an update to the detection rule 196, Detect Network Assembly Trust in around Start of 2017.

      The May 2017 Windows Updates for Framework 2.X to 4.X which came in WSUS however bring UP the same fixed BUG with the Assemblys.

       

      * Running TIE / ATD enviroment with target block UNKNOWN

      * WIN 7 SP1 Enterprise GERMAN

      * Latest Release of ATD-3000

      * Latest Release of ENS 10.5.1

      * Framework 5.0.5.X

      * ATP client ENS Module latest release

       

       

       

      C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\4F98CEAD6890 04458051FCA94BAA0607\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10 .0.NI.DLL

       

      Adaptiver Bedrohungsschutz – Blockiert

       

      On ACTIVE machines where we have "BLOCKED UNKNOWN" we get the Files blocked in a loop. Framework 4.X tries to generate "Assemble" a Framework 2.X File

      TIE-Blocks and he tries again. A single file is this 2048 times in TIE with different HASH. The 2048 seems some kind of hard fixed MAX count i guess.

       

      Thats a nice way to lock down a) All clientsb) The EPO Server and SQL and since patchday was 2 says before WANNACRY weekend we are NOT too happy! We had to take down TIE before that weekend because of this.

      This was the first time we did patch machines asap. We normaly have a WSUS Patxh delay of 1 week for larger customers.

       

      Ther is Mcafee Ticket PING PONG ticket open with  SR # <4-17441502971>

       

      And help or feedback welcome ;-)



         
       

       
       
       





        • 1. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
          bretzeli

          Does the Hotfix from 16.05.2017 for ENS 10.5.1 (ALL MODULES) fix this?

           

          https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 27000/PD27071/en_US/ENS_10_5_1_Hotfix_11…

           

          We also see other BUG fixes with TIE/ATP but nothing in there concerning the blocking (False Positive of Framework Assembly...)

           

          • 2. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
            bretzeli

            We still see the behaviour with 10.5.1.1163   latest HOTFIX

            This IS not solved!

             

            Agent 5.0.5.658 

            McAfee DXL Client 3.0.0.285 

            Endpoint Security Platform 10.5.1.1190 

            DLP Endpoint 10.0.200.392 

            Endpoint Security Adaptive Threat Protection 10.5.1.1163 

            Endpoint Security Threat Prevention 10.5.1.1261

            • 3. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
              bretzeli

              It looks like Kaspersky had same effect in some of their products but solved it in a few days.

               

              https://forum.kaspersky.com/index.php?showtopic=355854

               

              Similar
              detection's found on users PC, details provided below.

              Trojan-Ransom.Win32.CryptXXX.eay
              Wednesday, August 17, 2016 11:12:30 AM
              C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b93233a5d6f5 a80bc64b90ac3fc6eb9c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0. ni.dll
              Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.eay User: *******(Active
              user) Object:
              C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#\b93233a5d6f5 a80bc64b90ac3fc6eb9c\microsoft.visualstudio.tools.office.word.hostadapter.v10.0. ni.dll

               

              Trojan-Ransom.Win32.CryptXXX.eay Wednesday, August 17, 2016 11:12:31 AM C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc797fe80ba da17182cbec0994499c47\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0 .ni.dll Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.eay User: ******* (Active user) Object: C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#\fc797fe80ba da17182cbec0994499c47\microsoft.visualstudio.tools.office.word.hostadapter.v10.0 .ni.dll

               

              Trojan-Ransom.Win32.CryptXXX.eay
              Wednesday, August 17, 2016 11:12:50 AM
              C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#2165aae5b2d02 5488791fb592f17edb\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni .dll
              Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.eay User: *******(Active
              user) Object:
              C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#2165aae5b2d02 5488791fb592f17edb\microsoft.visualstudio.tools.office.word.hostadapter.v10.0.ni .dll

               

              Trojan-Ransom.Win32.CryptXXX.fmo
              Wednesday, August 17, 2016 11:12:28 AM
              C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#4644f9f338028 a3d9aec78ffc4225ae\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
              Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.fmo User:*******(Active
              user) Object:
              C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#4644f9f338028 a3d9aec78ffc4225ae\microsoft.visualstudio.tools.office.hostadapter.v10.0.ni.dll

               

              Trojan-Ransom.Win32.CryptXXX.fmo
              Wednesday, August 17, 2016 11:12:29 AM
              C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f5e9851d6be1 7d16e5cef3f300e0d70b\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dl l
              Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.fmo User: *******(Active
              user) Object: C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#\f5e9851d6be 17d16e5cef3f300e0d70b\microsoft.visualstudio.tools.office.hostadapter.v10.0.ni.d ll

               

              Trojan-Ransom.Win32.CryptXXX.fmo
              Wednesday, August 17, 2016 11:12:49 AM C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2bc90719b8b 328eb84e7f2d10ba27e5c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.d ll
              Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.fmo User:*******(Active
              user) Object: C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#\2bc90719b8b 328eb84e7f2d10ba27e5c\microsoft.visualstudio.tools.office.hostadapter.v10.0.ni.d ll

               

              Trojan-Ransom.Win32.CryptXXX.fsx Wednesday, August 17, 2016 11:12:09 AM C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d70674f906f dfe5f9dd66e8aa39469f7\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10. 0.ni.dll Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.fsx User: *******(Active user) Object: C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#\d70674f906f dfe5f9dd66e8aa39469f7\microsoft.visualstudio.tools.office.excel.hostadapter.v10. 0.ni.dll

               

              Trojan-Ransom.Win32.CryptXXX.fsx
              Wednesday, August 17, 2016 11:12:29 AM
              C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\66f8442eeebc 1b7944401bf8fbc849df\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0 .ni.dll
              Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.fsx User:******* (Active
              user) Object: C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#\66f8442eeeb c1b7944401bf8fbc849df\microsoft.visualstudio.tools.office.excel.hostadapter.v10. 0.ni.dll

               

              Trojan-Ransom.Win32.CryptXXX.fsx
              Wednesday, August 17, 2016 11:12:47 AM
              C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e208beeac1f8 d503a4010aa5990bc843\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0 .ni.dll
              Trojan Result: Deleted: Trojan-Ransom.Win32.CryptXXX.fsx User: *******(Active
              user) Object: C:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualstu#\e208beeac1f 8d503a4010aa5990bc843\microsoft.visualstudio.tools.office.excel.hostadapter.v10. 0.ni.dll

              I hope
              these deleted files won't cause any issue to the user.

              • 4. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
                bretzeli

                After MOVING around the ticket for 3 weeks now they moved it to Development. Not realy doing anything smart UNDER TIER4 this time. Just getting the Server and Client MER we guess.

                We showed the answer that this has to be moved to TIER4 in the starting of the ticket.

                 

                Horrible support for such an expensive enterprise product.

                 

                Good afternoon,

                 

                As you must have seen the SR was escalated to Tier 4 and the content team is reviewing the file / logging provided. As soon as we receive feedback we will update you.

                 

                Best Regards,

                 

                EMEA Business Support Product Lead – Malware / McAfee
                Support Threat Escalation Group

                 

                00800 122 55624 – Corporate Support Telephone https://support.mcafee.com/ServicePortal/

                • 5. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
                  bretzeli

                  Good afternoon,

                   

                  Regarding the creation of the new rule, if all goes well
                  this is scheduled for release end of August.

                   

                  Best regards,

                   

                   

                  Emea Business Support Lead – McAfee Support Threat
                  Escalation Group

                  • 6. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
                    bretzeli

                    Still waiting for a new release of TIE which will fis this. A new 10.2.X ATP came out. The 10.5.2 due the next days and hoepfully a ATP 10.5.2 Module.

                     

                    14.08.2017

                     

                    Good morning,

                     

                    This is a quick check to see how things are going and if
                    you require anything at the moment from our side.

                     

                    From my side I will let you know once the new rule has
                    been created and added to the content.

                     

                    Best regards,

                     

                    Kor Krol

                    Emea Business Support Lead – McAfee Support Threat
                    Escalation Group

                     

                    008001255624

                    • 7. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
                      Pmaquoi

                      if you are in need of the 10.5.2 (if i have correctly understood your post), the version is actually RTS so you can request it by asking it to the support. I did it for another issue i had.and i'm currently using it on alpha and beta computers.

                      • 8. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
                        bretzeli

                        Update from Mcafee Developers....

                        This is open since May 2017. If we would run customers in "BLOCK UNKNOWN Mode" we would be DOWN and out of business to clarify from our side! However marketing sold the products for this purpose!

                        We are dissapointed!

                        **************************************************************************

                         

                         

                        Good afternoon,

                         

                        The new rule (Rule 136) is currently still in QA, no
                        direct ETA for RTW is available.

                         

                        Best regards,

                         

                         

                        Emea Business Support Lead – McAfee Support Threat
                        Escalation Group

                         

                         

                          -----------------

                        From: MFE Support Outbound

                         

                         

                        Good afternoon,

                         

                        For the issue with Framework Assembly, the new rule (Rule
                        136) is in QA and will hopefully be released soon.

                         

                        From our side I will keep you in the loop.

                         

                        Best regards,

                         

                         

                        Emea Business Support Lead – McAfee Support Threat
                        Escalation Group

                        • 9. Re: TIE ENS 10.5.1, Blocked Framework Assembly from MAY 2017 patchday before WANNA weekend
                          bretzeli

                          Hi, ENS 10.5.2 RTM did not solve this in any way (The 10.5.2 ATP Module)

                          We had the RTS the day it came out...

                          They are still working on a new TIE rule for months now....

                          1 2 Previous Next