cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
sunshinebg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 6
‎11-16-2020 03:46 AM

Duping AV with handles ENS 10.7

Is this possible to bypass ENS protection?

https://skelsec.medium.com/duping-av-with-handles-537ef985eb03

 

 

McAfee Certified Product Specialist: (ePO), (ENS), (HiPs)
0 Kudos
Reply
5 Replies
yaz
Employee
Employee
Report Inappropriate Content
Message 2 of 6
‎11-16-2020 04:37 AM

Re: Duping AV with handles ENS 10.7

Hi @sunshinebg 

Thanks for reaching out to community. 

This looks like we need to carry out investigation with our Engineering. 

Can you kindly open an SR with us and we can have this investigation checked out from our Engineering level?

 

0 Kudos
Reply
SStoychev
Level 7
Report Inappropriate Content
Message 3 of 6
‎11-16-2020 04:54 AM

Re: Duping AV with handles ENS 10.7

This is not related to specific env.

How to open SR without current customer?

Any way to reach Engineering team?

Certified Product Specialists ePO
0 Kudos
Reply
yaz
Employee
Employee
Report Inappropriate Content
Message 4 of 6
‎11-16-2020 04:56 AM

Re: Duping AV with handles ENS 10.7

Hi @SStoychev 

This has to go through Support channel. We will share details to Engineering and Development. 

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 5 of 6
‎11-16-2020 04:53 AM

Re: Duping AV with handles ENS 10.7

If you want to harden ENS against Minikatz, create an expert role that restricts memory reads against LSASS.  You will have to tune it a lot initially, but then you should be able to start blocking.  It will frustrate red teams,  I promise.   🙂

0 Kudos
Reply
sunshinebg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 6
‎12-02-2020 12:50 AM

Re: Duping AV with handles ENS 10.7

Just receive an update from  McAfee PSIRT Team:

The Beta release of CTP you identified should offer some protection against this type of attack.  It is disabled by default.  We would have reached out to you next week once it had been in the field for a couple of weeks to ask you turn it on.  We don’t like to offer Beta releases as a possible solution to a vulnerability until we’ve seen results from the telemetry.

McAfee Certified Product Specialist: (ePO), (ENS), (HiPs)
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC