7 Replies Latest reply on Dec 19, 2016 2:05 PM by amin.

    Access Protection triggered by powershell script

    amin.

      Hi everyone,

       

      I am having some issues with many threats being generated by a powershell script and I'm trying to find a way to either correct it, or reduce the number of threats Without creating an exception for powershell.exe.

      We have developers working on software and a powershell script is used to work on a build.

       

      • The user running it is a local administrator (domain account)

       

      At bit after the script runs, McAfee generates threat events for powershell.exe: Common Standard Protection:Prevent modification of McAfee files and settings

       

      If the event was "prevent termination", i would assume it is because the account running powershell.exe is an administrator account with termination privileges.

      However it's modification of McAfee files - which I believe is probably because the local admin account has access to %SYSTEM%?

       

      After running process monitor during run time, i can see powershell does CreateFile, QueryDirectory and CloseFile.

      After CreateFile mfeann.exe QueryOpens the log file (accessprotection.txt) and when powershell does a QueryDirectory and then CloseFile, mfeann.exe does a CreateFile and QueryBasicInformation. Powershell then does IRP_MJ_Close which is followed by mfeann.exe doing CloseFile. (Any suggestions on reading process monitor logs in the context of McAfee would be appreciated)

       

      I'm not sure if this provides much information, however i need to know how to prevent all the threats from being generated. Does the script need to be re-written in a certain way? If so how can i get enough information to be able to explain this to the developers?

      We tried running it with a user account that does not have administrator privileges, however it didn't complete. This is probably because it didn't have permissions to read/write on the files it needs.

      How could i communicate to the dev team, so as to keep the script from triggering access protection?

       

      I would appreciate your help. Thanks!

        • 1. Re: Access Protection triggered by powershell script
          tkinkead

          Which file does Access Protection think is being modified?  It should show in the Access Protection log for the prevent modification of McAfee files log. 

          • 2. Re: Access Protection triggered by powershell script
            amin.

            tkinkead It only shows McAfee files though i'm not sure what exactly the deleteme and rbf files are.

             

            C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MFEAACA.DLL.85DF.DELETEME

            C:\PROGRAM FILES (X86)\COMMON FILES\MCAFEE\SYSTEMCORE\MFEHIDA.DLL.5CF2.DELETEME

            C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MFEMMSA.DLL.611F.DELETEME

            C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MFEMMS.EXE.9430.DELETEME

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\LOCKDOWN.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\BBCPL.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\GRAPHICS.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\RES0900\MCSHIELD.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\SHUTIL.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\LOCKDOWN.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\BBCPL.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\GRAPHICS.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\RES0900\MCSHIELD.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\SHUTIL.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\X64\LOCKDOWN.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\X64\MFEANN.EXE.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\X64\SHUTIL.DLL.RBF

            C:\PROGRAM FILES (X86)\COMMON FILES\MCAFEE\SYSTEMCORE\MFEAACA.DLL.C5B6.DELETEME

            C:\PROGRAM FILES (X86)\COMMON FILES\MCAFEE\SYSTEMCORE\MYTILUS3_WORKER.DLL.471B.DELETEME

            C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MFEAACA.DLL.85DF.DELETEME

            C:\PROGRAM FILES (X86)\COMMON FILES\MCAFEE\SYSTEMCORE\MFEAACA.DLL.C5B6.DELETEME

            C:\PROGRAM FILES (X86)\COMMON FILES\MCAFEE\SYSTEMCORE\MFEHIDA.DLL.5CF2.DELETEME

            C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MFEMMSA.DLL.611F.DELETEME

            C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MFEMMS.EXE.9430.DELETEME

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\LOCKDOWN.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\BBCPL.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\GRAPHICS.DLL.RBF

            C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\RES0900\MCSHIELD.DLL.RBF

            • 3. Re: Access Protection triggered by powershell script
              tkinkead

              I believe the deleteme and rbf files are leftover from performing application upgrades.  Have you performed any application upgrades without rebooting the system?

               

              There's really not much you can do from the Access Protection side to whitelist a specific script from Access Protection rules.  You'll have to fix up the script so it doesn't access those files or whitelist powershell.exe entirely. If you can't do either, then it's going to be tricky.  I can only think of very complicated and inefficient workarounds. 

              1 of 1 people found this helpful
              • 4. Re: Access Protection triggered by powershell script
                tao

                Possibility:  .rbf extension is sometimes seen as a backup of an existing file - coupled with .deleteme extension creation may be triggered when upgrading a package that requires a restart in order to remove the old version. 

                1 of 1 people found this helpful
                • 5. Re: Access Protection triggered by powershell script
                  amin.

                  I'll check to see if the files will be removed after a machine restart.

                   

                  tkinkead, tao: The script isn't made to access those files, but i did just notice in the monitor that powershell started reading the registry finding "PendingFileRenameOperations" and from there it was getting the paths for the mcafee files. After that it started touching those files which i'm guessing is why only the deleteme and rbf files were part of the events.

                   

                  The reboot may solve it, I'll know in a short while. Thanks for the help so far.

                  • 6. Re: Access Protection triggered by powershell script
                    tkinkead

                    Ahh, that makes sense.  I have seen occasional cases where the files that are supposed to be cleaned on boot are not.  If you run into that, I would suggest uninstalling all your McAfee products, rebooting, make sure those directories are cleaned out (and presumably, that that registry key is empty), then reinstall everything and reboot again.

                    • 7. Re: Access Protection triggered by powershell script
                      amin.

                      No more events! Thanks for the help guys. tkinkead tao