2 Replies Latest reply on Oct 7, 2015 5:12 AM by bretzeli

    EPO, Endpoint Intelligence, raptor_detected_threat > Alert Analyse, rundll32.exe

    bretzeli

       

      Hello,


      We have integrated "Endpoint Intelligence" which lets you scan EXE Files on clients and their connections. This was reported in a Mcafee Blog as freebie.

      Mainly we see this Raptor.exe (Stinger V2.0) for EPO. As in the past this will be free but after some time you will have to pay (Like GTI-Proxy, like REALTIME for EPO).

         

      Or main target would be to offer customer some more help in direction of Cryptlocker (I know the PDF and whitepapers from mcafee)

      We have EIA Agent running on 5 clients of the thousands for test purpose.

       

      Question > In some other Forum entry in here Mcafee says it will LOG/Report only > Is this still correct.

       

      From the Event i see below can i get more info on the process? I know it rundll32.exe so it's hidden in there.

       

      We also assume it's a whitelist application.

       

      Do i have to take it further apart on the client system to see with tools like systernals who call the rundll32.exe?

         

      Request: The Target IP would be really helpful not only the number of connections the exe made.

       

       

      Threat Target File Path:rundll32.exe(md5: dd81d91ff3b0763c392422865c9ac12e)
      Event Category:Malware detected
      Event ID:1024
      Threat Severity:Alert
      Threat Name:Injector
      Threat Type:raptor_detected_threat
      Action Taken:None
      Threat Handled:
      Analyzer Detection Method:RAPTOR
      Events received from managed systems 

       

      Event Description:Infected file found, access denied

       

      Greetings from Switzerland

        • 2. Re: EPO, Endpoint Intelligence, raptor_detected_threat > Alert Analyse, rundll32.exe
          bretzeli

          All Info related to that case collected on own site. This is rather important BECAUSE we heard that Raptor will be Parts of VSE 10. So things hsould be cleared up before that release.


          http://www.butsch.ch/post/Mcafee-Endpoint-Intelligent-Agent-Raptor-Integration.a spx



           

          Dear Michael,

           

           

           

          please find your questions and our Back office answers below:

           

           

           

          a)      Something is isolated

           

          Answer : No nothing is isolated.

           

           

           

          b)      Something is blocked

           

          Answer : No nothing is blocked.

           

           

           

          c)       We assume that raptor Module is used by EI-Agent to determine if EXE on client is bad/good nothing. Raptor.exe USED by EI-Agent WILL NOT BLOCK/ISOLATE/TRY-TOSTOP anything?

           

          Answer : Raptor is only used for detecting malicious activity and to identify an executable that is responsible for this. It does not classify an exe as good or bad or unknown. No blocking.

           

           

           

          d)      As mentioned in the Mcafee Blog where mcafee recommends the EI-Agent as solutuion for finding Locker Malware EXE on clients IT SAYS it will MONITOR/REPORT only

           

          Answer : EIA with ePO can be used for reporting number of connections from an executable with other information like MD5, absolute path and also the malware risk score for each of the executables.

           

           

           

          e)      Why does the EPO then show the THREAT Event?

           

          Answer : Threat event is shown for reporting alone. For alerting the admin.

           

           

           

          Please let me know in case of open questions or if I can assist you in any way.

           

           

           

          With kind regards,

           

          S. Masnizki

           

          Technical Support Engineer

           

           

          http://www.intelsecurity.com/