3 Replies Latest reply on Aug 17, 2017 9:45 AM by woody188

    ATP/TIE blocks DLL's used by EXE's but doesn't say so outside of debug mode (that I can tell)

    woody188

      We get TIE/ATP alerts that include information like this:

       

      Threat Name: ATP/Suspect!5758be09c8d6

      Offending File: SP2EUP.EXE

      Source Process: C:\WINDOWS\SPLWOW64.EXE

       

      This is a Sharp Printer Driver. I look up the file in the TIE Reputations, change it to "Known Trusted" but we'll continue to get DAC blocks unless we add a policy exclusion. What I have discovered is that ATP is also rating all the DLL's loaded with the PE32 file. So when I look in debug mode, I also see these files with an unknown reputation:

       

      C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EU.DLL reputation 50

      C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUD.DLL reputation 50

      C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.DLL reputation 50

      C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUSR.DLL reputation 50

      C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUPV7.DLL reputation 50

       

      So I have to go back into the TIE Reputations and also update these DLL's as "Known Trusted" or whatever setting I want for the reputation so the PE32 is then allowed to execute outside of DAC. Is there a setting somewhere or is this DLL blocking information available without having to turn on DEBUG mode on the endpoint client?

       

      I'm only getting that the EXE is contained when it's the DLL reputations that are responsible for the EXE containment.

        • 1. Re: ATP/TIE blocks DLL's used by EXE's but doesn't say so outside of debug mode (that I can tell)
          bretzeli

          Hello,

           

           

          We have the same problem with around 50 files out of 120'000. That does not seem a lot but it exact a Major app for an enterprise customer which changes every two week.

          It's a real large application used in healtcare worlwide but seems to deploy with a CLickONCEinstaller so updates don't have to go trough change and release managment.

           

          Yes you are correct FOR those files we need to exclude them from THE DAC Module with the ALERT we see like "JTI/*******" hard coded.  Even when ALL of those files are ENTERPRISE TRUST set manual.

          If that does not work we have to exclude the DIRECTORY or EXE add. from scanning at all.

           

          Yes you are right thats complicated and costs of a lot of trouble shotting and our customer a lot of time and MONEY.

          • 2. Re: ATP/TIE blocks DLL's used by EXE's but doesn't say so outside of debug mode (that I can tell)
            woody188

            Yeah I know I'm in trouble when I see this:

             

            08/16/2017 10:01:01.267 PM   mfeatp(2112.5076) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1

            08/16/2017 10:01:01.436 PM   mfeatp(2112.7396) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE reputation 0 final 0 result 0x40300001 flags 0x0000000000000000 type: 1 connectivity: 0

            08/16/2017 10:01:01.437 PM   mfeatp(2112.7396) <SYSTEM> Orchestrator.Action.Debug: Non actionable reputation score(0) recieved for C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE

             

            So I don't know if it is a comms thing but it just overrode what it isn't supposed to be able to override, my enterprise reputation score.

            • 3. Re: ATP/TIE blocks DLL's used by EXE's but doesn't say so outside of debug mode (that I can tell)
              woody188

              Here's the other lines bretzeli is talking about:

               

              08/16/2017 04:23:45.555 PM   mfeatp(2608.7416) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1

              08/16/2017 04:23:45.721 PM   mfeatp(2608.7416) <SYSTEM> Orchestrator.JTI.Debug: Process C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE JTI reputation 15 rule 234 threat name JTI/Suspect!65770 , JCM reputation 15, IsFinal 0

              08/16/2017 04:23:45.722 PM   mfeatp(2608.7416) <SYSTEM> Orchestrator.Action.Debug: Orchestrator finalizing reputation for C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE

              08/16/2017 04:23:45.962 PM   mfeatp(2608.7416) <SYSTEM> Orchestrator.DACSC.Activity: Application [C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\X64\3\SP2EUP.EXE] with reputation 15 is contained by DAC Scanner

               

              It just ignores my enterprise reputation. Maybe this is to stop injection type attacks, which I totally get, but dang man tell me why and what files so I can white list my good DLL's.