6 Replies Latest reply on Jun 12, 2015 2:39 AM by Troja

    Malware completely bypasses Application Control


      Hi all,

      i have a system where malware is executed to analyze threats. I have a threat which completely bypasses Application Control. How this can be??

      If i execute the malware anything is bypassed, real any mcafee security product!

      Actually GTI knows the original file. But in fact, if there is a new version of it, and this will happen, why appplication control is not able to protect??


      This is my system configuration:


      Solidcore Configuration:

      C:\>sadmin config show

        CustomerConfig                158 (0x9e)

        MPCompat                      0 (0x0)

        FileRetrySecs                 0 (0x0)

        DoNotApplyAefBackupRules      0 (0x0)

        CustomizedEventCacheSize      1000 (0x3e8)

        EventCacheSize                2 (0x2)

        EventCacheWMHigh              90 (0x5a)

        EventCacheWMLow               70 (0x46)

        FailSafeConf                  0 (0x0)

      * FeaturesEnabled               213340175514933423 (0x2f5efc261e318af)

      * FeaturesEnabledOnReboot       213340175514933423 (0x2f5efc261e318af)

      * FeaturesInstalled             288212725746833663 (0x3ffeff271e318ff)

      * FileAttrCTrack                5024 (0x13a0)

      * FileDenyReadOptions           1024 (0x400)

      * FileDenyWriteOptions          4831 (0x12df)

        FileDiffAttrOnlyTypes         zip,7z,rar,gz,tgz,jpg,gif,tiff,png,bmp,pdf,tar,b


        FileDiffMaxFiles              100 (0x64)

        FileDiffMaxSize               1000 (0x3e8)

        FipsMode                      0 (0x0)

        InvDiffConfig2                2 (0x2)

        InvDiffTimeout                10800 (0x2a30)

        PullInvTimeout                604800 (0x93a80)

      * LockdownStatus                0 (0x0)

        LogFileNum                    4 (0x4)

      * LogFilePath                   C:\PROGRA~3\McAfee\Solidcore\Logs

        LogFileSize                   2048 (0x800)

        ProdIntegrationConfig         1 (0x1)

      * RTEMode                       1 (0x1)

      * RTEModeOnReboot               1 (0x1)

        SoPriority                    1 (0x1)

        ssLangId                      Default

      * WorkFlowId                    OBSERVE_MODE: AUTO_1

      * AgentEventsThreshold          2000 (0x7d0)

        AgentEventsThresholdOnWakeup  2000 (0x7d0)

      * SupplierCacheSize             7000 (0x1b58)

        SupplierCacheSizeOnWakeup     7000 (0x1b58)

        ConsumerThreadTimeout         10800000 (0xa4cb80)

        InvDiffAgentEventsThreshold   15000 (0x3a98)

      * ObAgentEventsThreshold        100 (0x64)

        ObAgentEventsThresholdOnWakeup        100 (0x64)

      * ObSupplierCacheSize           700 (0x2bc)

        ObSupplierCacheSizeOnWakeup   700 (0x2bc)

        ObConsumerThreadTimeout       10800000 (0xa4cb80)

        Accessibility                 0 (0x0)

        EventCacheIntervalMilliSecs   10000 (0x2710)


      Memory Protection Features:

      C:\>sadmin features list

        activex                        Enabled

        checksum                       Enabled

        deny-read                      Enabled

        deny-write                     Enabled

        discover-updaters              Enabled

        enduser-notification           Enabled

        integrity                      Enabled

        mp                             Enabled

        mp-nx                          Enabled

        mp-vasr                        Enabled

        mp-vasr-forced-relocation      Enabled

        network-tracking               Enabled

        pkg-ctrl                       Enabled

        script-auth                    Enabled


      The location where the malware is located is not solidified

      C:\>sadmin lu c:\malware




      If i execute the Filezilla Installation i receive an error:




      If i execute the crypt.exe file the malware gets active. No Solicdore Event! Nothing.... afterwards it just encrypts the system!

      - open command line windows are closed and so on...


      1) The location where i started the crypt.exe file shows the help decrypt file.



      2) MWG shows access to the servers in internet (is set not to block to show the behavior)

      ipinfo.io is not a "bad" url in GTI.




      How this can be?? Can anyone explain this??