Community Help Hub

cybercop · ‎02-16-2017

Since early this morning we are seeing an issues were genuine Java Scripts are being detected as "Suspicious Attachment!script" and deleted on system installed with ENS 10.5.0.596 when it has the AMCore version 2891.0. This happens when a user attempts to run a java script from within Outlook and does not happen with earlier Dats. No other version of AV is affected (10.2 or VSE 8.8). Since I reported it first thing this morning I've had no contact from McAfee other than an email asking for quarantined files to be sent to them. Any one else seeing this. We've had to stop updates and roll back to 2890....Poor again.

Former Member · ‎02-16-2017

I'm having the same issue. Logged into ePO this morning and noticed over 1200+ pieces of "Malware" generated as "Suspicious Attachment!script"

DAT Version:

2891.0

Any thoughts on this, i'd hate to roll back the DAT file.

Thanks in advance.

Former Member · ‎02-16-2017

Just updated the V3 DAT to 2892, seems like the issue is still occurring with this DAT Version as well.

johnmoe · ‎02-16-2017

I had noted two occurrences of this event yesterday, and had noted that one that I managed to get a hold of seemed legitimate. Hadn't had a chance to investigate further yet.

Both were as described, javascript files that were part of e-mails that were opened using Outlook 2016 (365 CTR version) on systems with ENS 10.5.

Former Member · ‎02-16-2017

i temporarily resolved this issue while i wait for a new amcore. Created an ens client task to roll back amcore. tech notes, must list sub version.

my task is pictured below.

I haven't read up much but I believe that the endpoint saves a couple versions. So this is restored locally.

Run immediately

johnmoe · ‎02-16-2017

I've just had an email forwarded from my SAM with this:

We've had two of escalations today for a false PUP detection of Suspicious Attachment!xxxx. Note that this is only being seen in ENS.

Due to the type of detection driver, this is not something that can be resolved via an extra.dat.

Should you have a customer report this false, the interim solution is for the customer to add the following as PUP exclusions in ENS:

Suspicious Attachment!exe

Suspicious Attachment!cpl

Suspicious Attachment!script

Suspicious Attachment!jar

The false should be corrected with tomorrow's DATs. After updating, the customer will want to remove the added exclusions.

I've added these four into my ENS Threat Protection --> Options policy for today, and will test Monday after the new AMCore version comes out.

Former Member · ‎02-16-2017

Thanks johnmoe, for the workaround. I opened a case with McAfee and they told me to excluded Outlook.exe which i didn't want to do and the last resort was to revert the DAT.

Had over 3,000+ hits of Suspicious Attachment!script from ENS

cybercop · ‎02-17-2017

Latest from McAfee 08:45 GMT. " The issue will be dealt with in an AMCore release later today. Although I have the exclusions in that McAfee have recommended (Same as Johnmoe), I'm retaining the policy of not updating until I've tested this one fully..... and I certainly don't recommend Excluding Outlook.exe (Alka).

ocean · ‎02-17-2017

I understood to Roll back for DAT. But I dont accept exculusion for Outlook.exe. Example outlook.exe high process in McAfee default policy. A lot of threat coming to outlook.exe process..

wyrm · ‎02-17-2017

I'm seeing hundreds of Suspicious Attachment!script detections on AMCORE DAT 2892 from users with the Salesforce Outlook plugin.

Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Re: Bad Dat? AMCore 2891

Community Help Hub

Join the Community