4 Replies Latest reply on Mar 22, 2017 8:08 AM by pgajdek

    EXP:Invalid Call MCIEPLUGIN.DLL with InternetReadFile API

    pgajdek

      Over past couple days we have been getting allot events in our ePO generated by IEXPLORE called from module MCIEPLUGIN.DLL...   we are on ePO 3.5 and ESP 10.5 running WebControl module in addition to Threat Prevention... below is full log of the event.. I have created exclusion rule but didn't help.

       

       

      Event Received Time:    3/15/17 2:55:28 PM

      Event Generated Time:    3/15/17 2:52:32 PM

      Agent GUID:    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

      Detecting Prod ID (deprecated):    ENDP_AM_1020

      Detecting Product Name:    McAfee Endpoint Security

      Detecting Product Version:    10.5.0

      Detecting Product Host Name:    xxxxxxxxxx

      Detecting Product IPv4 Address:    xxxxxxxxx

      Detecting Product IP Address:    xxxxxxxxxxx

      Detecting Product MAC Address:    00059a3c7800

      DAT Version:   

      Engine Version:   

      Threat Source Host Name:   

      Threat Source IPv4 Address:    10.1.200.188

      Threat Source IP Address:    10.1.200.188

      Threat Source MAC Address:   

      Threat Source User Name:   

      Threat Source Process Name:   

      Threat Source URL:   

      Threat Target Host Name:   xxxxxxxxxxx

      Threat Target IPv4 Address:   xxxxxxxxxxxx

      Threat Target IP Address:   xxxxxxxxxxxxxx

      Threat Target MAC Address:   

      Threat Target User Name:   xxxxxxxxxxxxxxxxxx

      Threat Target Port Number:   

      Threat Target Network Protocol:   

      Threat Target Process Name:    IEXPLORE.EXE

      Threat Target File Path:    C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE

      Event Category:    Host intrusion buffer overflow

      Event ID:    18055

      Threat Severity:    Critical

      Threat Name:    ExP:Invalid Call

      Threat Type:    Exploit Prevention

      Action Taken:    Would block

      Threat Handled:    True

      Analyzer Detection Method:    Exploit Prevention

      Events received from managed systems

      Event Description:    A suspicious call was detected and blocked

      Endpoint Security

      Module Name:    Threat Prevention

      Analyzer Content Creation Date:    3/9/17 11:57:26 PM

      Analyzer Content Version:   xxxxxxxxxxxxxxxxx

      Analyzer Rule ID:    6015

      Target Hash:    4f182207a5da340d6eb959b4dfdf42b1

      Target Signed:    Yes

      Target Signer:    C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION

      Target Parent Process Signed:    Yes

      Target Parent Process Signer:    C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION

      Target Parent Process Name:    IEXPLORE.EXE

      Target Parent Process Hash:    b17ffed222cf24ae85bd90f594c55121

      Target Name:    IEXPLORE.EXE

      Target Path:    C:\PROGRAM FILES (X86)\INTERNET EXPLORER

      Target File Size (Bytes):    815312

      Target Modify Time:    6/10/16 8:48:38 PM

      Target Access Time:    7/15/16 1:42:49 PM

      Target Create Time:    7/15/16 1:42:49 PM

      API Name:    InternetReadFile

      First Action Status:    Not available

      Second Action Status:    Not available

      Description:    ExP:Invalid Call was detected as an attempt to exploit C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE called from module MCIEPLUGIN.DLL, which targeted the InternetReadFile API. It wasn't blocked because Exploit Prevention was set to Report Only.

      Attack Vector Type:    Local System