0 Replies Latest reply on Dec 4, 2017 2:34 PM by fabhoo

    Exclusion of specific "ExP:Invalid Call" doesn't work

    fabhoo

      Hey there!

       

      I'm getting a lot of this exploit prevention threats:

       

      Event Received Time: 11/16/17 7:05:33 AM

      Event Generated Time: 11/15/17 3:24:17 PM

      Agent GUID: 4E52918C-60CF-11E7-2995-3C52823F0B67

      Detecting Prod ID (deprecated): ENDP_AM_1020

      Detecting Product Name: McAfee Endpoint Security

      Detecting Product Version: 10.5.3.3264

      Detecting Product Host Name: NB08295

      Detecting Product IPv4 Address: 10.51.2.99

      Detecting Product IP Address: 10.51.2.99

      Detecting Product MAC Address: 3c52823f0b67

      DAT Version:

      Engine Version:

      Threat Source Host Name:

      Threat Source IPv4 Address: 10.51.2.99

      Threat Source IP Address: 10.51.2.99

      Threat Source MAC Address:

      Threat Source User Name:

      Threat Source Process Name:

      Threat Source URL:

      Threat Target Host Name: NB08295

      Threat Target IPv4 Address: 10.51.2.99

      Threat Target IP Address: 10.51.2.99

      Threat Target MAC Address:

      Threat Target User Name:

      Threat Target Port Number:

      Threat Target Network Protocol:

      Threat Target Process Name: IEXPLORE.EXE

      Threat Target File Path: C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE

      Event Category: Host intrusion buffer overflow

      Event ID: 18055

      Threat Severity: Critical

      Threat Name: ExP:Invalid Call

      Threat Type: Exploit Prevention

      Action Taken: Would block

      Threat Handled: True

      Analyzer Detection Method: Exploit Prevention

      Events received from managed systems

      Event Description: A suspicious call was detected and blocked

      Additional Event details from VirusScan Enterprise

      Endpoint Security

      Module Name: Threat Prevention

      Analyzer Content Creation Date: 11/15/17 3:19:35 PM

      Analyzer Content Version: 10.5.0.8137

      Analyzer Rule ID: 6015

      Target Hash: 41c5d70956a565f7ae1979c9c165ea84

      Target Signed: Yes

      Target Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION

      Target Parent Process Signed: Yes

      Target Parent Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION

      Target Parent Process Name: IEXPLORE.EXE

      Target Parent Process Hash: 1bb97e45d30d6884217b70e215591f97

      Target Name: IEXPLORE.EXE

      Target Path: C:\PROGRAM FILES (X86)\INTERNET EXPLORER

      Target File Size (Bytes): 815312

      Target Modify Time: 9/9/17 3:47:21 AM

      Target Access Time: 11/6/17 8:17:32 AM

      Target Create Time: 11/6/17 8:17:32 AM

      API Name: InternetReadFile

      First Action Status: Not available

      Second Action Status: Not available

      Description: ExP:Invalid Call was detected as an attempt to exploit C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE called from module MCIEPLUGIN.DLL, which targeted the InternetReadFile API. It wasn't blocked because Exploit Prevention was set to Report Only.

      Attack Vector Type: Local System

       

      As far as i discovered, thats not really a threat and can be excluded. So i went to the exploit prevention policies and looked for Rule ID 6015. I found it, but it's disabled and wasn't set to report oder block.

       

      So i created this exclusion, but it won't work, i still get those events. what am i doing wrong here?:

       

      01.PNG

      02.PNG


      How can i exclude this certain type of threat? Is there a best practice guide for handling such events?

       

      Thanks a lot for your help!