cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DavHio
Level 10
Report Inappropriate Content
Message 1 of 13
‎09-21-2018 12:41 AM

McAfee ATP blocking McAfee Process?

Jump to solution

L_EADF.tmp.PNGmyversions.png

Labels (1)
0 Kudos
Reply
1 Solution

Accepted Solutions
ktankink
Employee
Employee
Report Inappropriate Content
Message 2 of 13
‎09-21-2018 10:57 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

Please see:

KB89079 - McAfee Agent installation file FramePkg.exe is blocked by anti-virus software
https://kc.mcafee.com/corporate/index?page=content&id=KB89079

View solution in original post

0 Kudos
Reply
12 Replies
ktankink
Employee
Employee
Report Inappropriate Content
Message 2 of 13
‎09-21-2018 10:57 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

Please see:

KB89079 - McAfee Agent installation file FramePkg.exe is blocked by anti-virus software
https://kc.mcafee.com/corporate/index?page=content&id=KB89079

0 Kudos
Reply
ChrisQ
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 13
‎11-27-2019 02:00 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

Is this a wide-spread issue? 

The solution "Exclude the file FramePkg.exe from inspection by antivirus software." sounds great until malware writers start naming their malware FramePkg.exe

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 13
‎11-27-2019 02:08 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

Hi @ChrisQ 

This is true. It can be easily tricked. The problem is that this file is unsigned, because it's generated "on the fly" and is unique to each environment. If you use TIE, you can whitelist your Framepkg file but this will only help until you generate a new one and then you'd need to whitelist (mark it as known trusted) again. 

0 Kudos
Reply
ChrisQ
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 13
‎11-27-2019 02:16 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

Thanks @Former Member 

Do you have any info on the environment this is happening in? 

I'm using ENS 10.6.1 Oct release (currently upgrading to 10.7) with ATP (and TIE) and agent 5.6.2.209 and I'm not (currently) seeing this issue. I would like to keep it that way so some more details in KB89079 would be good.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 13
‎11-27-2019 02:20 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

So this file would typically be a "unknown" reputation. So in terms of ATP, you would not see any detection if you have your ATP settings set to not take action on anything with a reputation of "unknown" and lower. (These are found in your ATP Options policy)

0 Kudos
Reply
ChrisQ
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 13
‎11-27-2019 02:41 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

I have this set at Unknown but I'm not seeing the file.

I'll keep an eye on the KB and see if more info comes out soon.

0 Kudos
Reply
ChrisQ
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 13
‎11-27-2019 02:44 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

*I'm not a seeing a problem with the file*

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 9 of 13
‎11-27-2019 02:47 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

@ChrisQ Right, but what ATP settings do you have in the ATP policy? There are too many scenarios to cover. I don't expect the KB to be updated I'm afraid.

0 Kudos
Reply
ChrisQ
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 13
‎11-27-2019 02:59 AM

Re: McAfee ATP blocking McAfee Process?

Jump to solution

@Former Member I have a fairly default Balanced setting, with Real Protect on Medium.

I guess this level allows the agent to install/upgrade and it's not seen as Malicious as I have Trigger DAC on might be malicious, Block on most likely malicious, and Clean on known malicious.

I agree there are many potential settings, but it would be good if the KB had a bit more detail.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC