cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ssedhai
Level 9
Report Inappropriate Content
Message 1 of 3
‎02-07-2020 11:53 AM

How can I make exclusion to PDQInventory-Scanner?

Jump to solution

I have lots of events saying NT AUTHORITY\SYSTEM ran SYSTEM:REMOTE\SYSTEM:REMOTE, which accessed C:\Windows\AdminArsenal\PDQInventory-Scanner\service-1\\ , violating the rule "Remotely accessing local files or folders". Access was allowed because the rule wasn't configured to block. How can make a exclusion so that this event can be ignored? 

I have made a exclusion for this one this seems not working at this point. 

 

NT AUTHORITY\SYSTEM ran SYSTEM:REMOTE\SYSTEM:REMOTE, which accessed C:\Windows\AdminArsenal\PDQInventory-Scanner\service-1\\ , violating the rule "Remotely accessing local files or folders". Access was allowed because the rule wasn't configured to block.
Analyzer / Detector
Analyzer content creation date9/22/2015 6:11 AM
Analyzer content version10.6.0
Product nameMcAfee Endpoint Security
Analyzer rule nameRemotely accessing local files or folders
Product version10.6.1
Feature nameAccess Protection
 
Threat
Action takenWould Block
Threat category'File' class or access
Threat event ID1095
Threat handledYes
Threat nameRemotely accessing local files or folders
Threat severityCritical
Threat timestamp2/7/2020 12:35 PM
Threat typeAccess Protection
 
Source
Source file pathSYSTEM:REMOTE
Source IPV410.10.6.182
Source process nameSYSTEM:REMOTE
Source process signedNo
Source user nameNT AUTHORITY\SYSTEM
 
Target
Target host namecomputername
Target name 
Target pathC:\Windows\AdminArsenal\PDQInventory-Scanner\service-1\
Target signedNo
Target user nameSYSTEM
 
Other
Access requestedDelete
Vector typeFile Share

 

This table is taken out from ENS event window. 

 

Trellix Endpoint Security 

Trellix Endpoint Security
Trellix
Trellix Endpoint Security
McAfee Enterprise Products
View in Store
0 Kudos
Reply
1 Solution

Accepted Solutions
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 2 of 3
‎02-07-2020 12:44 PM

Re: How can I make exclusion to PDQInventory-Scanner?

Jump to solution

Hello @ssedhai 

The rule you are using, "Remotely accessing local files or folders" is very aggressive rule and it is disabled by Default.

Purpose of the rule can be found in:

*** McAfee Endpoint Security 10.6.0 - Threat Prevention Product Guide - Windows
https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

section "McAfee-defined Access Protection rules" where you have:

McAfee-defined rule: Remotely accessing local files or folders
Description: Prevents read and write access from remote computers to the computer. In a typical environment, this rule is suitable for workstations, but not servers.
Default setting: empty (aka not set to block or report)
Benefits: Prevents a share-hopping worm from spreading.
Risks: Prevents updates or patches from being installed to systems managed by pushing files. This rule doesn't affect the management functions of McAfee ePO.

TIP: Best practice Enable this rule only when computers are actively under attack.

Now, majority of remote access scenarios will have "Source file path -> SYSTEM:REMOTE", because the software PDQInventory-Scanner is using it to access to machine and that is what OS sees, (not PDQInventory-Scanner) hence you can't exclude PDQInventory-Scanner from the rule.

Also there is lot of scenarios where with same situation where in product guide is mentioned update, you should also see SYSTEM:REMOTE if you try to access to c$, but also Malware may use it as well hence in order for you to make exclusion you have to exclude whole "SYSTEM:REMOTE" which would defeat the purpose of rule itself.

The conclusion and best suggestion is to actually follow the best practice for the rule given in product guide itself.

I hope, I explained myself properly.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Reply
2 Replies
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 2 of 3
‎02-07-2020 12:44 PM

Re: How can I make exclusion to PDQInventory-Scanner?

Jump to solution

Hello @ssedhai 

The rule you are using, "Remotely accessing local files or folders" is very aggressive rule and it is disabled by Default.

Purpose of the rule can be found in:

*** McAfee Endpoint Security 10.6.0 - Threat Prevention Product Guide - Windows
https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

section "McAfee-defined Access Protection rules" where you have:

McAfee-defined rule: Remotely accessing local files or folders
Description: Prevents read and write access from remote computers to the computer. In a typical environment, this rule is suitable for workstations, but not servers.
Default setting: empty (aka not set to block or report)
Benefits: Prevents a share-hopping worm from spreading.
Risks: Prevents updates or patches from being installed to systems managed by pushing files. This rule doesn't affect the management functions of McAfee ePO.

TIP: Best practice Enable this rule only when computers are actively under attack.

Now, majority of remote access scenarios will have "Source file path -> SYSTEM:REMOTE", because the software PDQInventory-Scanner is using it to access to machine and that is what OS sees, (not PDQInventory-Scanner) hence you can't exclude PDQInventory-Scanner from the rule.

Also there is lot of scenarios where with same situation where in product guide is mentioned update, you should also see SYSTEM:REMOTE if you try to access to c$, but also Malware may use it as well hence in order for you to make exclusion you have to exclude whole "SYSTEM:REMOTE" which would defeat the purpose of rule itself.

The conclusion and best suggestion is to actually follow the best practice for the rule given in product guide itself.

I hope, I explained myself properly.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Reply
ssedhai
Level 9
Report Inappropriate Content
Message 3 of 3
‎02-07-2020 02:29 PM

Re: How can I make exclusion to PDQInventory-Scanner?

Jump to solution

@Kenchee_etf 

Thanks for the response. These events are not bothering but I just I wanted to reduce the number of events so that I can focus only on the important ones. 

I can keep as it is. 

Cheers!

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC