cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tmelville
Level 9
Report Inappropriate Content
Message 1 of 5
‎07-12-2021 06:56 AM

Exploit Prevention Signatures

Hi: I was adding the PrintNightmare signature recently and noticed many of these signature not enabled for reporting or blocking. I was wondering how our organization was to know what should be enabled for blocking? I do subscribe to the weekly McAfee email list to keep up on ENS updates. But I want to ensure anything listed in the signatures is enabled to help protect our org whenever possible.
0 Kudos
Reply
4 Replies
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎07-12-2021 07:21 AM

Re: Exploit Prevention Signatures

Hi @tmelville,

Thank you for your post. We may not be able to recommend tailored suggestions for your organization as we leave that to administration of each organization by providing them documentation on the capabilities of these rules and they are to be tested on each organization to validate if it generates false positives, how it can be fine tuned, etc. However, we have the below documentation that talks about some important signatures to be enabled and fine tuning of our product:

Best practices for tuning and using Endpoint Security to prevent and respond to threat incidents

I sincerely hope this helps!

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 3 of 5
‎07-12-2021 07:34 AM

Re: Exploit Prevention Signatures

I would suggest these at a minimum.  

6187
6206
6196
6195 (for servers)
6194
6192
6191
6190
6168
6155
6154
6153
6152
6146
6145
6143
6124
6122
6121
6118
6117
6116
6115
6113
6112
6109
6108
6078
6066
6047


Do you have ATP deployed?  There are several JTI rules I might suggest as well..

Dave

 

Reply
ChrisQ
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5
‎07-13-2021 02:41 AM

Re: Exploit Prevention Signatures

@Daveb3d I'm interested in seeing your JTI rule suggestions.

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 5 of 5
‎07-13-2021 06:27 AM

Re: Exploit Prevention Signatures

Now I'll first qualify this by saying ATP needs to be set to clean at "Most LIkely Malicious" to really benefit from this. You might want to run some test systems in observe mode for tuning, and maybe point them to "Productivity" or "Security" if you don't use those policy sets, and tune them to match "Balanced" in your target configuration. 

Starting with the newest ones.

517 - If you have a TIE server, use it to trust, otherwise exclude false-positive processes with OAS exclusions. This one will stop CobaltStrike in most cases. 
516
515
514 - might be noisy though. Strongly recommend a TIE server.
511
504
349
346
324
318
317
314
309
301
260
255



Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC