1 2 Previous Next 13 Replies Latest reply on Jul 26, 2017 7:39 PM by ecvicedo

    Bad Dat? AMCore 2891

    cybercop

      Since early this morning we are seeing an issues were genuine Java Scripts are being detected as "Suspicious Attachment!script" and deleted on system installed with ENS 10.5.0.596 when it has the AMCore version 2891.0. This happens when a user attempts to run a java script from within Outlook and does not happen with earlier Dats. No other version of AV is affected (10.2 or VSE 8.8). Since I reported it first thing this morning I've had no contact from McAfee other than an email asking for quarantined files to be sent to them. Any one else seeing this. We've had to stop updates and roll back to 2890....Poor again.

        • 1. Re: Bad Dat? AMCore 2891
          alka

          I'm having the same issue. Logged into ePO this morning and noticed over 1200+ pieces of "Malware" generated as "Suspicious Attachment!script"

           

          DAT Version:

          2891.0

           

          Any thoughts on this, i'd hate to roll back the DAT file.

           

          Thanks in advance.

          • 2. Re: Bad Dat? AMCore 2891
            alka

            Just updated the V3 DAT to 2892, seems like the issue is still occurring with this DAT Version as well.

            • 3. Re: Bad Dat? AMCore 2891
              johnmoe

              I had noted two occurrences of this event yesterday, and had noted that one that I managed to get a hold of seemed legitimate.  Hadn't had a chance to investigate further yet.

               

              Both were as described, javascript files that were part of e-mails that were opened using Outlook 2016 (365 CTR version) on systems with ENS 10.5.

              • 4. Re: Bad Dat? AMCore 2891
                Namster

                i temporarily resolved this issue while i wait for a new amcore. Created an ens client task to roll back amcore. tech notes, must list sub version.

                 

                my task is pictured below.

                 

                I haven't read up much but I believe that the endpoint saves a couple versions. So this is restored locally.amcore ct.png

                Run immediately

                • 5. Re: Bad Dat? AMCore 2891
                  johnmoe

                  I've just had an email forwarded from my SAM with this:


                  We've had two of escalations today for a false PUP detection of Suspicious Attachment!xxxx. Note that this is only being seen in ENS.

                   

                  Due to the type of detection driver, this is not something that can be resolved via an extra.dat.

                   

                  Should you have a customer report this false, the interim solution is for the customer to add the following as PUP exclusions in ENS:

                  Suspicious Attachment!exe

                  Suspicious Attachment!cpl

                  Suspicious Attachment!script

                  Suspicious Attachment!jar

                   

                  The false should be corrected with tomorrow's DATs. After updating, the customer will want to remove the added exclusions.


                  I've added these four into my ENS Threat Protection --> Options policy for today, and will test Monday after the new AMCore version comes out.

                  • 6. Re: Bad Dat? AMCore 2891
                    alka

                    Thanks johnmoe, for the workaround. I opened a case with McAfee and they told me to excluded Outlook.exe which i didn't want to do and the last resort was to revert the DAT.

                     

                     

                    Had over 3,000+ hits of Suspicious Attachment!script from ENS

                     

                     

                    • 7. Re: Bad Dat? AMCore 2891
                      cybercop

                      Latest from McAfee 08:45 GMT. " The issue will be dealt with in an AMCore release later today. Although I have the exclusions in that McAfee have recommended (Same as Johnmoe), I'm retaining the policy of not updating until I've tested this one fully..... and I certainly don't recommend Excluding Outlook.exe (Alka).

                      • 8. Re: Bad Dat? AMCore 2891
                        ocean

                        I understood to Roll back for DAT. But I dont accept exculusion for Outlook.exe.  Example outlook.exe high process in McAfee default policy. A lot of threat coming to outlook.exe process..

                        • 9. Re: Bad Dat? AMCore 2891
                          wyrm

                          I'm seeing hundreds of Suspicious Attachment!script detections on AMCORE DAT 2892 from users with the Salesforce Outlook plugin.

                          1 2 Previous Next