cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
HugsNotDrugs
Level 10
Report Inappropriate Content
Message 1 of 5
‎05-01-2019 01:49 AM

ENS ATP rule 239

Jump to solution

Hi,

I get a report in the ePO that an application interacts with powershell and is triggering the rule 239 (suspicious execution of an application through execution parameters). I don't know what the application is doing in detail. Are there any general guidelines what an application should not be doing to be compatible with ATP rule 239? I wish I could provide users willing to adapt there Software to the ATP rule 239 with some best practices on how to do that but so far I was unable to find much specifics on what is being considered a "suspicious execution of an application through execution parameters".

Any help clarifying that would be much appreciated!

 

0 Kudos
Reply
1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 5
‎05-01-2019 02:51 AM

Re: ENS ATP rule 239

Jump to solution

The reason you are still seeing detections is because the rule 239 contains various detection triggers.

Yes, if you raise an SR we can submit all the information to our engineering team and ask them to review and make suggestions if possible. We may even be able to do something from our side.

We would ask you to reproduce the issue with ENS debug logging enabled and then for you to provide an MER along with a very detailed description of what the application is used for, what actions it triggers, vendor of the application, etc. > the more information you can provide, the better. With a generic description we would not be able to submit the request to engineering.

View solution in original post

Reply
4 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 5
‎05-01-2019 02:34 AM

Re: ENS ATP rule 239

Jump to solution

I'm afraid the specifics would be considered company secrets so wouldn't be able to be shared. But here are some thoughts:

- Review how the application gets called / initiated - it's likely the same way malware can be launched

-  Review what applications, executables or commands are being called by the applications, i.e. what command line usage is happening when the app is running

 

A good thing to do from our side, would be to submit the application via GetClean. This will help whitelist the application.

https://kc.mcafee.com/corporate/index?page=content&id=KB73044

Reply
HugsNotDrugs
Level 10
Report Inappropriate Content
Message 3 of 5
‎05-01-2019 02:43 AM

Re: ENS ATP rule 239

Jump to solution

The application itself has already went though the GetClean process and has an Known Trusted reputation in the GTI. However this does not change the behavior of ENS ATP with the 239 Rule - the action is still getting blocked despite the files positive reputation.

While I get it some configuration details cannot be shared publicly it is rather troublesome in a case of a false positive rule 239 detection to mitigate the problem and rewrite a custom made application if the customer does not know what to look for.

Would some assisted false positive 239 rule trigger search in the application be possible with open SR?

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 5
‎05-01-2019 02:51 AM

Re: ENS ATP rule 239

Jump to solution

The reason you are still seeing detections is because the rule 239 contains various detection triggers.

Yes, if you raise an SR we can submit all the information to our engineering team and ask them to review and make suggestions if possible. We may even be able to do something from our side.

We would ask you to reproduce the issue with ENS debug logging enabled and then for you to provide an MER along with a very detailed description of what the application is used for, what actions it triggers, vendor of the application, etc. > the more information you can provide, the better. With a generic description we would not be able to submit the request to engineering.

Reply
Daveb3d
MVP
Report Inappropriate Content
Message 5 of 5
‎05-02-2019 07:44 AM

Re: ENS ATP rule 239

Jump to solution

Can you post the command line of it?   I can probably guess why it is triggering. 

 

Dave

0 Kudos
Reply
Related Topics
ENS ATP rule 239
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC