cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 16
‎03-28-2022 10:02 AM

Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution
I would like help creating an Expert rule exception for these files. GetPendingUpdates.vbs.CMD GetUpdateDates.vbs.CMD
Stewart
0 Kudos
Reply
2 Solutions

Accepted Solutions
Pravas
Employee
Employee
Report Inappropriate Content
Message 7 of 16
‎03-29-2022 07:12 PM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

Hi @User27605043 ,

You may open a Service Request with ENS Support.

We may be able to help with the Signature ID 413.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

0 Kudos
Reply
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 16
‎04-05-2022 04:28 AM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

Here is what support told me.

1. Turn off the McAfee Double File Extention Rule 

The rule is in the Policy "Endpoint Seucirty Threat Prevention > Exploit Prevention

In the My Default, navigate to Signatures and search for 413 and uncheck the rule.

Save it.

2. Add an expert rule (button in Signatures.

Name the new rule.

Select Severity High

Block and report for Actions

Rule type Processes

Copy this in the box and change the Placeholder files "Filename.extention" to yours. 

I am not 100% sure the formatting is saved in this communication correctly. But here you go.

 

Rule {
	set os_major_version [iSystem major]
	set os_arch [iSystem os_arch]
	if { $os_arch == 320 } {
		set WOW64_HKLM_ProgramFiles_32 [iReg value "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion" ProgramFilesDir]
		set WOW64_HKLM_ProgramFiles_64 [iReg value "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion" ProgramFilesDir]
	} else {
		set WOW64_HKLM_ProgramFiles_32 [iReg value "HKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" ProgramFilesDir]
		set WOW64_HKLM_ProgramFiles_64 [iReg value "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion" ProgramFilesDir]
	}
	
	Target {
		Match FILE {
			Include OBJECT_NAME {
				-v *.???.bat
				-v *.???*.cmd
				-v *.???*.pif
				-v *.???.com
				-v *.avi*.exe
				-v *.bmp*.exe
				-v *.com.exe
				-v *.com???.exe
				-v *.doc.exe
				-v *.doc???.exe
				-v *.gif*.exe
				-v *.htm*.exe
				-v *.jpeg*.exe
				-v *.jpg*.exe
				-v *.mov*.exe
				-v *.mp3*.exe
				-v *.pdf*.exe
				-v *.ppt*.exe
				-v *.rtf*.exe
				-v *.txt*.exe
				-v *.wmv*.exe
				-v *.xls*.exe
				-v *.avi*.com
				-v *.bmp*.com
				-v *.doc*.com
				-v *.gif*.com
				-v *.htm*.com
				-v *.jpeg*.com
				-v *.jpg*.com
				-v *.mov*.com
				-v *.mp3*.com
				-v *.pdf*.com
				-v *.ppt*.com
				-v *.rtf*.com
				-v *.txt*.com
				-v *.wmv*.com
				-v *.xls*.com
				-v *.avi*.bat
				-v *.bmp*.bat
				-v *.doc*.bat
				-v *.gif*.bat
				-v *.htm*.bat
				-v *.jpeg*.bat
				-v *.jpg*.bat
				-v *.mov*.bat
				-v *.mp3*.bat
				-v *.pdf*.bat
				-v *.ppt*.bat
				-v *.rtf*.bat
				-v *.txt*.bat
				-v *.wmv*.bat
				-v *.xls*.bat
				-v *.avi*.scr
				-v *.bmp*.scr
				-v *.com.scr
				-v *.com???.scr
				-v *.doc*.scr
				-v *.gif*.scr
				-v *.jpeg*.scr
				-v *.htm*.scr
				-v *.jpg*.scr
				-v *.mov*.scr
				-v *.mp3*.scr
				-v *.pdf*.scr
				-v *.ppt*.scr
				-v *.rtf*.scr
				-v *.txt*.scr
				-v *.wmv*.scr
				-v *.xls*.scr
		}
		Exclude OBJECT_NAME {
			-v $WOW64_HKLM_ProgramFiles_32\\**
			-v *\\*.com*\\*.exe
			-v *\\*.data*\\*.com
			-v *\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\*\\*.com
			if { $os_arch == 640 } { 
				-v $WOW64_HKLM_ProgramFiles_64\\**													
			}
			-v C:\\Filename.extention
			-v C:\\Filename.extention
			
		}
		Include -file_attributes "!ARCHIVE"
		Include -access "EXECUTE"
		}
	}
}

 

Stewart

View solution in original post

Reply
15 Replies
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 16
‎03-28-2022 11:05 AM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

Here is what I see in ePO:

 

Threat Target File Path: C:\Users\userid\AppData\Local\Temp\5aed1862-b14e-478a-855f-1116538612c4\GetPendingUpdates.vbs.CMD
Event Category: 'File' class or access
Event ID: 18060
Threat Severity: Critical
Threat Name: Suspicious Double File Extension Execution
Threat Type: Exploit Prevention
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Exploit Prevention

Stewart
0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 3 of 16
‎03-28-2022 07:26 PM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

Hi @User27605043 ,

We can exclude the Source Process in Exploit Prevention policy to avoid the detection.

However, please do not exclude any well-known windows process like Explorer.exe, CMD.exe etc.

Alternatively, the signature can be turned off for target systems.

Incase you're looking for a custom signature, please reach out to Professional Services.

https://www.mcafee.com/enterprise/en-in/services/solution-services.html

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 16
‎03-29-2022 05:15 AM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

Should this case be opened against ePO or against ENS? ENS rules but in ePO. Which should be selected when opening the case?

Stewart
0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 5 of 16
‎03-29-2022 01:13 PM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

I'll DM you an Expert Rule that includes the McAfee rule content but your exclusion.

Dave

Reply
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 16
‎03-29-2022 01:16 PM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

Great!

Stewart
0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 7 of 16
‎03-29-2022 07:12 PM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

Hi @User27605043 ,

You may open a Service Request with ENS Support.

We may be able to help with the Signature ID 413.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
ChrisQ
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 16
‎04-05-2022 02:41 AM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

I'm really interested in seeing an expert rule for excluding some double file extension detections please.

For example:
C:\ProgramData\Zebra Technologies\CardStudio2\updates\CardStudio 2.5.4\CardStudio-Setup_2.5.4.exe, which tried to access the file C:\Users\Personaldata.removed\AppData\Local\Temp\EXECDEF.tmp.bat, violating the rule "Suspicious Double File Extension Execution", and was blocked.

0 Kudos
Reply
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 16
‎04-05-2022 04:28 AM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

Here is what support told me.

1. Turn off the McAfee Double File Extention Rule 

The rule is in the Policy "Endpoint Seucirty Threat Prevention > Exploit Prevention

In the My Default, navigate to Signatures and search for 413 and uncheck the rule.

Save it.

2. Add an expert rule (button in Signatures.

Name the new rule.

Select Severity High

Block and report for Actions

Rule type Processes

Copy this in the box and change the Placeholder files "Filename.extention" to yours. 

I am not 100% sure the formatting is saved in this communication correctly. But here you go.

 

Rule {
	set os_major_version [iSystem major]
	set os_arch [iSystem os_arch]
	if { $os_arch == 320 } {
		set WOW64_HKLM_ProgramFiles_32 [iReg value "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion" ProgramFilesDir]
		set WOW64_HKLM_ProgramFiles_64 [iReg value "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion" ProgramFilesDir]
	} else {
		set WOW64_HKLM_ProgramFiles_32 [iReg value "HKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" ProgramFilesDir]
		set WOW64_HKLM_ProgramFiles_64 [iReg value "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion" ProgramFilesDir]
	}
	
	Target {
		Match FILE {
			Include OBJECT_NAME {
				-v *.???.bat
				-v *.???*.cmd
				-v *.???*.pif
				-v *.???.com
				-v *.avi*.exe
				-v *.bmp*.exe
				-v *.com.exe
				-v *.com???.exe
				-v *.doc.exe
				-v *.doc???.exe
				-v *.gif*.exe
				-v *.htm*.exe
				-v *.jpeg*.exe
				-v *.jpg*.exe
				-v *.mov*.exe
				-v *.mp3*.exe
				-v *.pdf*.exe
				-v *.ppt*.exe
				-v *.rtf*.exe
				-v *.txt*.exe
				-v *.wmv*.exe
				-v *.xls*.exe
				-v *.avi*.com
				-v *.bmp*.com
				-v *.doc*.com
				-v *.gif*.com
				-v *.htm*.com
				-v *.jpeg*.com
				-v *.jpg*.com
				-v *.mov*.com
				-v *.mp3*.com
				-v *.pdf*.com
				-v *.ppt*.com
				-v *.rtf*.com
				-v *.txt*.com
				-v *.wmv*.com
				-v *.xls*.com
				-v *.avi*.bat
				-v *.bmp*.bat
				-v *.doc*.bat
				-v *.gif*.bat
				-v *.htm*.bat
				-v *.jpeg*.bat
				-v *.jpg*.bat
				-v *.mov*.bat
				-v *.mp3*.bat
				-v *.pdf*.bat
				-v *.ppt*.bat
				-v *.rtf*.bat
				-v *.txt*.bat
				-v *.wmv*.bat
				-v *.xls*.bat
				-v *.avi*.scr
				-v *.bmp*.scr
				-v *.com.scr
				-v *.com???.scr
				-v *.doc*.scr
				-v *.gif*.scr
				-v *.jpeg*.scr
				-v *.htm*.scr
				-v *.jpg*.scr
				-v *.mov*.scr
				-v *.mp3*.scr
				-v *.pdf*.scr
				-v *.ppt*.scr
				-v *.rtf*.scr
				-v *.txt*.scr
				-v *.wmv*.scr
				-v *.xls*.scr
		}
		Exclude OBJECT_NAME {
			-v $WOW64_HKLM_ProgramFiles_32\\**
			-v *\\*.com*\\*.exe
			-v *\\*.data*\\*.com
			-v *\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\*\\*.com
			if { $os_arch == 640 } { 
				-v $WOW64_HKLM_ProgramFiles_64\\**													
			}
			-v C:\\Filename.extention
			-v C:\\Filename.extention
			
		}
		Include -file_attributes "!ARCHIVE"
		Include -access "EXECUTE"
		}
	}
}

 

Stewart
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 10 of 16
‎04-05-2022 07:50 AM

Re: Help Creating an Expert Rule to exclude Vendor Double File Extentions

Jump to solution

There are some gaps in this rule, and I also question its efficiency, as I really examine it (which oddly, though I've worked on the rule in the past, I never sat down to actually consider).

The *.ext*.ext can't be very efficient and reminds me of an issue I recently came across related to AAC performance with an APR. I would think most of these can simply be *.ext.ext.  The exception is Office related extensions. So in that case, we would need both *.doc.ext and *.doc?.ext.  Also missing are *.xls.bat, *.xls?.bat and a few other, similar ones.  I also wonder if script files should be included, as well as .hta and, especially, .lnk.

So these might just be a simple: -v "*.???.lnk" and -v "*.????.lnk", etc.  

Open to disagreements and thoughts about removing the middle * in the various ones.

Dave

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC