1 2 Previous Next 11 Replies Latest reply on Nov 2, 2016 3:49 AM by rmetzger

    How to make an exception for *.vbs files

      We have numerous systems that use C:\Windows\system32\cscript.exe to run *.vbs scripts used for system maintenance.  The *.vbs files get flagged by VSE threat name "Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder" because the files run from a temp folder.

       

      I don't want to exclude cscript.exe because of the obvious risks.

       

      Is it possible to make exclusions in VSE based on "Threat Target File Path:" field (i.e. for specific *.vbs script names)? I can't seem to find a way to do it.

       

      PG

        • 1. Re: How to make an exception for *.vbs files
          Don_Martin

          Hello,

           

          why don´t you try a definiton by this article? https://kc.mcafee.com/corporate/index?page=content&id=KB55139

           

          I'm not sure if the policy "Deny execution of Files from Temp" will be outlined in this case but in a testenvironment I would give it a shot.

          • 2. Re: How to make an exception for *.vbs files

            I can't think of any way to do it natively. You either exclude cscript for all files from temp, or block it.

            • 3. Re: How to make an exception for *.vbs files
              rmetzger

              hbss_admin wrote:

               

              We have numerous systems that use C:\Windows\system32\cscript.exe to run *.vbs scripts used for system maintenance.  The *.vbs files get flagged by VSE threat name "Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder" because the files run from a temp folder.

               

              I don't want to exclude cscript.exe because of the obvious risks.

               

              Is it possible to make exclusions in VSE based on "Threat Target File Path:" field (i.e. for specific *.vbs script names)? I can't seem to find a way to do it.

               

              Hi hbss_admin:

               

              Well, it can be done but is highly discouraged as this would open the systems up to a great deal of malware.

               

              **\mysoftware\*.vbs could be done.

               

              A better approach would be to implement High-risk / Low-risk Processes and do the exclusion within the Low-risk processes. This will limit your exposure to just those processes / applications you define, yet maintains default or high-risk checks on all other processes, maintaining proper security as suggested in the Best Practices Guide for VSE 8.8.

               

              Hope this is helpful.

              Ron Metzger

              • 4. Re: How to make an exception for *.vbs files
                um_idk

                Hi HBSS_Admin,

                 

                You can utilize HIPS in lieu of this specific VSE Access Protection rule by enabling IPS rule 3893 (Access Protection - Prevent execution of scripts from the Temp folder).  This will enable you to create a more specific (IPS) exception while maintaining a higher level of security than VSE would offer by excluding cscript in its entirety.

                 

                Sincerely,

                umk_idk

                • 5. Re: How to make an exception for *.vbs files
                  newbernd

                  I would also like to see the exclusion filters apply to the Threat Target File Path field.  This seems like the most obvious way to combat the problem. 

                   

                  The suggestions to use high/low risk processes rules unfortunately have no bearing on the Access Control policies. 

                   

                  While HIPS policies may give you finer control here, HIPS is a complicated beast to deploy. This should be a simple thing.  If you have a rule that is described as "controlling scripts" in the temp folder, and you have a provision for exclusions, then the exclusion should at least apply to the script name and not the interpeter.  This is a good idea but unfortunately the implementation renders useless.

                   

                  Message was edited by: newbernd on 4/16/13 9:09:22 AM CDT
                  • 6. Re: How to make an exception for *.vbs files
                    youngpae

                    @rmetzger

                     

                    I have a question on your answer... I thought that you can only add <ProcessName.exe> or <full or partial path>\<processname>.exe on the Inclusion or exclusion for AP rules.

                     

                    so are you saying we can add <FolderName>\ABC*.vbs on the AP Process Exclusion section???

                     

                    I have similar situation that a legitimate software try to create C:\Windows\Temp\RADxxxx.tmp (VBScript file but with .tmp extension) and execute it with CSCRIPT.EXE and we have 1.5Million records per month.

                     

                    I am also wondering if adding C:\Windows\Temp\RAD*.tmp to the High Risk OAS Exclusions would help or not. (CScript.exe is listed on High Risk OAS)

                     

                    In the worst case, I was thinking about having a query called "False Positive events - Cannot be excluded" (with the Target File Path C:\Windows\Temp\RAD*.tmp) and create Server Task to run the query and purge it every day...

                     

                    Thanks,

                     

                    Young-

                    • 7. Re: How to make an exception for *.vbs files
                      rmetzger

                      youngpae wrote:

                       

                      @rmetzger

                       

                      I have a question on your answer... I thought that you can only add <ProcessName.exe> or <full or partial path>\<processname>.exe on the Inclusion or exclusion for AP rules.

                       

                      so are you saying we can add <FolderName>\ABC*.vbs on the AP Process Exclusion section???

                      Yes, the very point of High/Low Risk Process Policies is to minimize the exclusions (openings or security holes) to specific processes, leaving every other process Without the exclusions (openings or security holes).

                      I would suggest a thorough read of:

                      McAfee KnowledgeBase - Understanding High-Risk, Low-Risk, and Default processes configuration and usage

                       

                      McAfee KnowledgeBase - Understanding Exclusions in High-Risk/Low-Risk profiles

                       

                      McAfee KnowledgeBase - How to create Low-Risk and High-Risk process exclusions in VirusScan Enterprise

                       

                      A lot of reading. Let us know of any additional resources we can provide in understanding High/Low risk process policies.

                       

                      Hope this is helpful.

                      Ron Metzger

                       

                        

                      • 8. Re: How to make an exception for *.vbs files
                        youngpae

                        Hi @rmetzger

                         

                        Thanks for your reply.

                         

                        But as a (senior) ePO Admin for 12 years, I think I know enough about VSE OAS handling...

                         

                        I was more asking about Access Protection's Process Inclusion and Exclusion with non-.EXE based file. (e.g. .VBS or .PS1, or .BAT)...

                         

                        The reason why I ask the question was because I thought that it was impossible (e.g. you can add wscript.exe, cscript.exe, powershell.exe and/or cmd.exe to include or exclude not the actual script files...) With obvious reason, we cannot add those "potentially hostile" processes to included or excluded processes list and I was hoping that I can put some exceptional/legitimate scripts (.vbs, .ps1 and .bat with path) on exclusion so that I can avoid million's false positive events uploaded to ePO event database.

                         

                        The following William Warren's blog is a must-read information to understand how VSE works:

                         

                        https://community.mcafee.com/people/wwarren/blog

                         

                        Thanks,

                         

                        Young-

                        • 9. Re: How to make an exception for *.vbs files
                          rmetzger

                          youngpae wrote:

                           

                          Hi @rmetzger

                           

                          But as a (senior) ePO Admin for 12 years, I think I know enough about VSE OAS handling...

                          Sorry, no insult intended, as I cannot know your knowledge level or the knowledge level of those also reading these replies.

                           

                          youngpae wrote:

                           

                          I was more asking about Access Protection's Process Inclusion and Exclusion with non-.EXE based file. (e.g. .VBS or .PS1, or .BAT)...

                           

                          The reason why I ask the question was because I thought that it was impossible (e.g. you can add wscript.exe, cscript.exe, powershell.exe and/or cmd.exe to include or exclude not the actual script files...) With obvious reason, we cannot add those "potentially hostile" processes to included or excluded processes list and I was hoping that I can put some exceptional/legitimate scripts (.vbs, .ps1 and .bat with path) on exclusion so that I can avoid million's false positive events uploaded to ePO event database.

                          The Process is an Exe file in your case, cscript.exe for .VBS files. The exclusion is for the (hopefully a static or easily restrictive path\filename) .vbs file which the process cscript.exe runs.

                           

                          From McAfee KnowledgeBase - Understanding Exclusions in High-Risk/Low-Risk profiles

                          "If you add an exclusion to either the High-Risk or Low-Risk profile, it will be excluded from scanning only if it is being accessed by one of the processes/applications included in the list of processes defined in the corresponding profile. Therefore, the exclusion would not apply to processes and/or applications that would be scanned using the default profile."

                           

                          cscript.exe is located in the High-Risk Process Policy. You are not excluding cscript.exe, rather excluding the .vbs of your choice. This should "avoid million's false positive events uploaded to ePO event database."

                           

                          But for High/Low Risk Process Policies to work you will need to make some changes (from the VSE Console, please convert to the ePO equivalent):

                          On-Access Scan Properties -> All Processes -> Processes

                               Select "Configure different scanning policies for high-risk, low-risk, and default processes."

                           

                          If you had "Configure one scanning policy for all processes" this is a Major change and I would expect serious testing before implementing into production. But using High/Low Risk Process Policies enables far greater control over exclusions and performance while limiting the security exposure.

                          youngpae wrote:

                           

                          The following William Warren's blog is a must-read information to understand how VSE works:

                           

                          https://community.mcafee.com/people/wwarren/blog

                          Agreed, an excellent read.

                           

                          Good Luck,

                          Ron Metzger

                          1 2 Previous Next