6 Replies Latest reply on Nov 25, 2009 3:14 PM by wwarren

    McAfee and Tripwire alerts

      Can someone maybe tell me what McAfee was doing at this particular time since the updates were not running and no logs of occurrence can I find. These are at an off hour on Server 2003 (Windows) and running McAfee 8.7 and has ePolicy minding the roost.

      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield\Security|Security



      MD5 old value = 2f9b8db94316bbdd42528bb68c7a31cf

      new value = f6784513e844ca916def14ae5419dced







      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01





      Type old value = none

      new value = Key



      Owner old value = none

      new value = BUILTIN\Administrators



      SACL old value = none

      new value = (null)



      Group old value = none

      new value = NT AUTHORITY\SYSTEM



      DACL old value = none

      new value =

      BUILTIN\Users, Access Allowed Type:

      Standard rights: Read Control

      Specific rights: 0019

      Header flags: Inherited ACE





      BUILTIN\Users, Access Allowed Type:

      Generic rights: Generic Read

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE





      BUILTIN\Power Users, Access Allowed Type:

      Standard rights: Read Control

      Specific rights: 0019

      Header flags: Inherited ACE





      BUILTIN\Power Users, Access Allowed Type:

      Generic rights: Generic Read

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE





      BUILTIN\Administrators, Access Allowed Type:

      Standard rights: Delete, Read Control, Write DAC, Write Owner

      Specific rights: 003f

      Header flags: Inherited ACE





      BUILTIN\Administrators, Access Allowed Type:

      Generic rights: Generic All

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE





      NT AUTHORITY\SYSTEM, Access Allowed Type:

      Standard rights: Delete, Read Control, Write DAC, Write Owner

      Specific rights: 003f

      Header flags: Inherited ACE





      NT AUTHORITY\SYSTEM, Access Allowed Type:

      Generic rights: Generic All

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE





      CREATOR OWNER, Access Allowed Type:

      Generic rights: Generic All

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE









      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01\Enum





      Type old value = none

      new value = Key



      Owner old value = none

      new value = BUILTIN\Administrators



      SACL old value = none

      new value = (null)



      Group old value = none

      new value = NT AUTHORITY\SYSTEM



      DACL old value = none

      new value =

      BUILTIN\Users, Access Allowed Type:

      Standard rights: Read Control

      Specific rights: 0019

      Header flags: Inherited ACE





      BUILTIN\Users, Access Allowed Type:

      Generic rights: Generic Read

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE





      BUILTIN\Power Users, Access Allowed Type:

      Standard rights: Read Control

      Specific rights: 0019

      Header flags: Inherited ACE





      BUILTIN\Power Users, Access Allowed Type:

      Generic rights: Generic Read

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE





      BUILTIN\Administrators, Access Allowed Type:

      Standard rights: Delete, Read Control, Write DAC, Write Owner

      Specific rights: 003f

      Header flags: Inherited ACE





      BUILTIN\Administrators, Access Allowed Type:

      Generic rights: Generic All

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE





      NT AUTHORITY\SYSTEM, Access Allowed Type:

      Standard rights: Delete, Read Control, Write DAC, Write Owner

      Specific rights: 003f

      Header flags: Inherited ACE





      NT AUTHORITY\SYSTEM, Access Allowed Type:

      Generic rights: Generic All

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE





      CREATOR OWNER, Access Allowed Type:

      Generic rights: Generic All

      Header flags: Container Inherit ACE, Inherit Only ACE, Inherited ACE









      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01\Enum|0





      Type old value = none

      new value = Value



      Data Type old value = none

      new value = String



      MD5 old value = none

      new value = 9c141ad5742112498f571fe2d14bdd93





      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01\Enum|Count





      Type old value = none

      new value = Value



      Data Type old value = none

      new value = DWORD



      MD5 old value = none

      new value = 4352d88a78aa39750bf70cd6f27bcaa5





      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01\Enum|NextInstanc e





      Type old value = none

      new value = Value



      Data Type old value = none

      new value = DWORD



      MD5 old value = none

      new value = 4352d88a78aa39750bf70cd6f27bcaa5





      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01|AltServiceName





      Type old value = none

      new value = Value



      Data Type old value = none

      new value = String



      MD5 old value = none

      new value = 8e75b4c728e4816e181119a06081822a





      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01|DisplayName





      Type old value = none

      new value = Value



      Data Type old value = none

      new value = String



      MD5 old value = none

      new value = 19803384ff1745d9e7d8e0fed1d40b3f





      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01|ErrorControl





      Type old value = none

      new value = Value



      Data Type old value = none

      new value = DWORD



      MD5 old value = none

      new value = f1d3ff8443297732862df21dc4e57262





      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01|Start





      Type old value = none

      new value = Value



      Data Type old value = none

      new value = DWORD



      MD5 old value = none

      new value = edcfae989540fd42e4b8556d5b723bb6





      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01|Type





      Type old value = none

      new value = Value



      Data Type old value = none

      new value = DWORD



      MD5 old value = none

      new value = 4352d88a78aa39750bf70cd6f27bcaa5





      Rule: XP - Service Registry Keys

      Time: 18 Oct 2009 03:18:07 -0500



      Added Element: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01|LoadArg
        • 1. Re: McAfee and Tripwire alerts
          bribri007

          Has there been any additional follow-up to this?  I am seeing similar behavior with Tripwire as well.  This key changes on most servers in the wee hours of the night.  I haven't been able to tell precisely what is causing this key to change.

           

          If you have found any further indication as to the cause I would be thankful if you shared it here.

           

          thanks!

          • 2. Re: McAfee and Tripwire alerts
            wwarren

            With the alert advising the creation of this key:

            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk01

             

            ... tells me that you just had a hotfix or patch update occur that replace this driver.

            The other changes would be relevant to the same action.

            • 3. Re: McAfee and Tripwire alerts
              bribri007

              Thanks for replying so quickly!

               

              I believe you are referring to a windows OS update or patch, and not a McAfee specific update.  In case I am wrong please clarify.

              There are several keys that I've noticed Tripwire catches as modifications,

               

               

              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McAfeeFramework\Security|Se curity

              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield\Security|Security

              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfevtp\Security|Security

              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McTaskManager\Security|Secu rity

               

               

              If it means anything different, there are a mix of 8.5 and 8.7 clients being managed by an ePO 4.5 server.

               

              My main concern is what is the particular cause of the modification, because it isn't an addition of this key, it is modification of the current value of an existing key.  If it is something that is being caused by microsoft updates, is this some mechanism within McAfee changing the keys, ePO changing the keys, or windows OS itself changing it?

               

              There isn't anything that shows up in the ePO agent log, or any of the debug logs I've looked at for the servers that indicate this changes.    I'm content with agreeing it is related to updates as Microsoft did just release a few in the last few days.  I would like to get some more detailed understand of why the key changes.

               

              Possibly knowing what the keys precise functions are might help clarify this beyond doubt.  If you can shed light on this that would be fantastic to me.

               

              thanks again!

              • 4. Re: McAfee and Tripwire alerts
                wwarren

                I'm actually referring to a McAfee update, specifically for one of our products that utilize the driver named "mfehidk.sys".

                 

                The registry key listed is created by us, and notice the numeric appendage? mfehidk01.

                We create this key when that driver gets updated. It allows for another instance of the driver to exist in memory, while the older instance gets put into a pass-through mode. It's a clever way to update drivers without requiring a reboot.

                 

                I'm not sure what McAfee products you have that use this driver, but it could be VirusScan Enterprise (VSE), Host Intrusion Prevention (HIPS), Data-loss Prevention (DLP)... one of these got an update.

                 

                If the update was perfomed by the Agent then you'd expect to see something in the logs, assuming it hasn't been flushed out already.

                If another mechanism did the update, you're on your own .

                One of the alerts I read in your original post indicated the key was created.

                • 5. Re: McAfee and Tripwire alerts
                  bribri007

                  Hi William,

                   

                  I unfortunately think I've steered this thread a bit away from the original posters interest in the mfehidk.sys driver.

                   

                  (we are using VSE to answer one question)

                  The keys I'm having show up as changed in tripwire were the 4 keys I mentioned in my previous post.  If those keys are being updated through a McAfee update, is there a way to find what McAfee process is updating those keys through a log file somwhere?  I have looked at the ePO agent log and not found anything useful, is it possible there is a 'debug' log or such located with the VSE install that might references the changes to the registry keys?

                   

                  thanks for your help!

                  • 6. Re: McAfee and Tripwire alerts
                    wwarren

                    Oh, righto - I'm on board now

                    In that case, the keys you mention could be alerted upon without any reference whatsoever to a mfehidk01 key.

                     

                    >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McAfeeFramework\Security|S ecurity

                    >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield\Security|Security

                    >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfevtp\Security|Security

                    >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McTaskManager\Security|Sec urity

                    The key hint here is that all of these modifications were to the "Security" subkeys for the service entry.

                    This stores permission information about what accounts are allowed to control these services.

                     

                    VirusScan's Access Protection setting "Prevent McAfee Services from being stopped" alters this key. I don't know of any other mechanism that would do that, and target all our service keys and not others. So, safe to assume the "Prevent McAfee Services from being stopped" setting was modified.

                    The only thing that would show up in ePO Agent log, assuming the change was made via ePO, is you'd see VirusScan policies being enforced!  Not very helpful. Nothing is logged to indicate the policy actually changed... interesting thought for forensic purposes though.

                     

                    If you know this was not done via ePO, you can then conclude it was done by something/someone local. And if by someone local, it was probably followed by stopping one or more of those services...