cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Pavel1
Level 7
Report Inappropriate Content
Message 1 of 9
‎02-03-2020 05:25 AM

Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Good day. I`ve got a problem.

I got thoose threat event logs(and the same one but with Analyzer Rule ID:6086)  at many computers. I know that MONITORINGHOST.EXE  is leagal programm and she need to start powershell.

I want add exclusion to this event but it didint work+ i know i can disable by signatures id -but this rule a really important and i didnt want to disabled them.

Thanks for your answer

Example for Threat Event Logs


Threat Target User Name: NT AUTHORITY\SYSTEM
Threat Target Process Name:POWERSHELL.EXE
Threat Target File Path:C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
Event Category: Host intrusion buffer overflow
Event ID:18054
Threat Severity:Critical
Threat Name:ExP:Illegal API Use
Threat Type:Exploit Prevention
Would block
True
Analyzer Detection Method: Exploit Prevention
Events received from managed systems 
Event Description:
An exploit was attempted and blocked
Endpoint Security 
Target Name:Target Path:Target File Size (Bytes):Target Modify Time:Target Access Time:Target Create Time:API Name:First Action Status:Second Action Status:Description:Attack Vector Type:
Module Name:Threat Prevention
 
 
Analyzer Rule ID: 6082
Analyzer Rule Name::Powershell Command Restriction - ExecutionPolicy Unrestricted
Target Hash:c031e215b8b08c752bf362f6d4c5d3ad
Yes
CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Yes
Target Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT CORPORATION
Target Parent Process Name: MONITORINGHOST.EXE
Target Parent Process Hash: b51e6a1ec4961959ce008e1ca2190296
Target Name: POWERSHELL.EXE
Target Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0
478720
11/22/14 5:44:53 AM EET
11/22/14 5:44:53 AM EET
11/22/14 5:44:53 AM EET
AtlComPtrAssign
Not available
Not available
ExP:Illegal API Use was detected as an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API. It wasn't blocked because Exploit Prevention was set to Report Only.
Local System

 

Exclusion that I create-

Process

Name: powershell

File name or path (can include * or ? wildcards): POWERSHELL.EXE

Signatures:  CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

Caller Module

 Name: MONITORINGHOST

File name or path (can include * or ? wildcards):  MONITORINGHOST.EXE

Signatures:  C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT CORPORATION

0 Kudos
Reply
2 Solutions

Accepted Solutions
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 2 of 9
‎02-03-2020 06:27 AM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Hi @Pavel1,

Thank you for your post. Looks like strange one. Can you go through the below document just to be sure the exclusion is added as prescribed?

Also, I would recommend raising a support cases where if this is a genuine false positive, our Labs team can add this as an exclusion in content update in future release!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

0 Kudos
Reply
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 3 of 9
‎02-03-2020 10:48 AM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Hello @Pavel1 and @AdithyanT 

What you see is not false positive, per se, and based on provided description everything works as expected, if signature enabled it will trigger, where exclusion of MONITORINGHOST.EXE will not make any difference, because that is not what is being blocked by those signatures.

What is being blocked is actually PowerShell Command parameters where if PowerShell tries to execute specific commands it will be blocked and "Target Parent Process" can be anything, and what is being blocked in example provided is:

* Signature 6082 executed -ExecutionPolicy Unrestricted
* Signature 6086 executed -Command

Every signature used for this purpose in EP policy has defined command that is blocking and they are all disabled by Default considering that they may generate lot of events. You may find more info in:

*** Reference Guide Expert Rules Syntax for McAfee Endpoint Security Threat Prevention 10.5.3 For use with McAfee ePolicy Orchestrator
https://docs.mcafee.com/bundle/endpoint-security-v10-5-3-adaptive-threat-protection-expert-rules-syn...

where on page 33 section "Blocking specified PowerShell parameters" you will also find couple examples of those parameters where some of those examples corelate with actuall EP signatures:

* Signature 6084 executed -NoLogo
* Signature 6085 executed -File

Now, reason why I stated that exclusions of MONITORINGHOST.EXE will not make any difference can be found on page 41 of same document where we have:

caller module ---> Path to a module (for example, a DLL) loaded by an executable that calls and causes a bufferoverflow.

So how to deal with this situation?

Like I stated if enabled and violated signature will trigger every time specific command was called by PowerShell, potentially causing lot of events, where those signatures are disabled by Default.

Now if you still decide to use those signatures one of the potential workarounds is to create custom signature to monitor specific parameters, instead of Default signature, where, comparing to Default, in custom rule you may define parameter exclusion, for example in example given on page 33 you have:

Include PROCESS_CMD_LINE { -v "*-EncodedCommand*" }
Exclude PROCESS_CMD_LINE { -v "*-EncodedCommand ZABpAHIAIAAnAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAJwAgAA==" }

which effectively mean block everything -EncodedCommand except the one listed.

For more info how to do it, you may also use:

*** Endpoint Security Threat Prevention Expert Rules training videos
https://kc.mcafee.com/corporate/index?page=content&id=KB89677

One really important info about this, creation and troubleshooting of custom expert rules is out of scope for Support and you may purchase our ProServ services to come into your environment for that task.

Please note:
Best practice is to configure signature to report only and than evaluate what that signature is actually blocking to make sure that the signature will not block some of essential system functions.

Once you are sure that the EP signature will not block anything other than what you wanted it to block then you can enable block on couple non-critical test machines first, before you enable it across the environment.

I hope this helps and please, please, please make sure to always perform report -> evaluate -> block, otherwise, EP rules are so powerful that they get you lot of trouble if not configured properly.

I hope this helps.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Reply
8 Replies
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 2 of 9
‎02-03-2020 06:27 AM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Hi @Pavel1,

Thank you for your post. Looks like strange one. Can you go through the below document just to be sure the exclusion is added as prescribed?

Also, I would recommend raising a support cases where if this is a genuine false positive, our Labs team can add this as an exclusion in content update in future release!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 3 of 9
‎02-03-2020 10:48 AM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Hello @Pavel1 and @AdithyanT 

What you see is not false positive, per se, and based on provided description everything works as expected, if signature enabled it will trigger, where exclusion of MONITORINGHOST.EXE will not make any difference, because that is not what is being blocked by those signatures.

What is being blocked is actually PowerShell Command parameters where if PowerShell tries to execute specific commands it will be blocked and "Target Parent Process" can be anything, and what is being blocked in example provided is:

* Signature 6082 executed -ExecutionPolicy Unrestricted
* Signature 6086 executed -Command

Every signature used for this purpose in EP policy has defined command that is blocking and they are all disabled by Default considering that they may generate lot of events. You may find more info in:

*** Reference Guide Expert Rules Syntax for McAfee Endpoint Security Threat Prevention 10.5.3 For use with McAfee ePolicy Orchestrator
https://docs.mcafee.com/bundle/endpoint-security-v10-5-3-adaptive-threat-protection-expert-rules-syn...

where on page 33 section "Blocking specified PowerShell parameters" you will also find couple examples of those parameters where some of those examples corelate with actuall EP signatures:

* Signature 6084 executed -NoLogo
* Signature 6085 executed -File

Now, reason why I stated that exclusions of MONITORINGHOST.EXE will not make any difference can be found on page 41 of same document where we have:

caller module ---> Path to a module (for example, a DLL) loaded by an executable that calls and causes a bufferoverflow.

So how to deal with this situation?

Like I stated if enabled and violated signature will trigger every time specific command was called by PowerShell, potentially causing lot of events, where those signatures are disabled by Default.

Now if you still decide to use those signatures one of the potential workarounds is to create custom signature to monitor specific parameters, instead of Default signature, where, comparing to Default, in custom rule you may define parameter exclusion, for example in example given on page 33 you have:

Include PROCESS_CMD_LINE { -v "*-EncodedCommand*" }
Exclude PROCESS_CMD_LINE { -v "*-EncodedCommand ZABpAHIAIAAnAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAJwAgAA==" }

which effectively mean block everything -EncodedCommand except the one listed.

For more info how to do it, you may also use:

*** Endpoint Security Threat Prevention Expert Rules training videos
https://kc.mcafee.com/corporate/index?page=content&id=KB89677

One really important info about this, creation and troubleshooting of custom expert rules is out of scope for Support and you may purchase our ProServ services to come into your environment for that task.

Please note:
Best practice is to configure signature to report only and than evaluate what that signature is actually blocking to make sure that the signature will not block some of essential system functions.

Once you are sure that the EP signature will not block anything other than what you wanted it to block then you can enable block on couple non-critical test machines first, before you enable it across the environment.

I hope this helps and please, please, please make sure to always perform report -> evaluate -> block, otherwise, EP rules are so powerful that they get you lot of trouble if not configured properly.

I hope this helps.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 4 of 9
‎02-03-2020 08:51 PM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Hi @Pavel1,

Apologies for the inconvenience. I stand corrected here, My bad that I missed the analyzer rule here. @Kenchee_etf :Thank you for helping out here, Great post!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 9
‎02-04-2020 04:44 AM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Hello @Kenchee_etf  @Pavel1 @AdithyanT , 

I guess @Kenchee_etf  is right, but not regarding this specific rule.  The rule regards only one specific option the rule cares about which is *-Executionpolicy Unrestricted.  In this case the rule will always trigger no matter how would you exclude the "source" in customer case this is MONITORINGHOST.EXE , you can't set proper exclusion for the destination which is powershell.exe and in particular the executionpolicy. I guess if the application requires this particular switch , better disable the rule at all.

ExP:Illegal API Use Blocked an attempt to exploit C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the AtlComPtrAssign API.

This is going to be out of scope for Technical support in any case as @Kenchee_etf  mentioned and if there is a way for this to be workaround (I doubt) customer would need to reach McAfee Professional Services.

https://www.mcafee.com/enterprise/en-au/services.html 

Hope it helps.

0 Kudos
Reply
CraigR1
Level 8
Report Inappropriate Content
Message 6 of 9
‎10-21-2020 09:49 PM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

The workaround of applying an expert rule works well.

Can I ask, is there a way to keep " in the actual exclusion input.

i.e if you are using:

Exclude PROCESS_CMD_LINE { -v "*-NoLogo blah blah "C:\Windows" blah blah *"}

How can we keep the "" that surround the C:\Windows. 

can we backslash these, is this regex? is there a syntax guide somewhere?

0 Kudos
Reply
CraigR1
Level 8
Report Inappropriate Content
Message 7 of 9
‎10-20-2020 10:10 PM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Now, reason why I stated that exclusions of MONITORINGHOST.EXE will not make any difference can be found on page 41 of same document where we have:

caller module ---> Path to a module (for example, a DLL) loaded by an executable that calls and causes a bufferoverflow.

This was such a good post, but i'm struggling to understand the meaning of the above section. Why does the 'Path to a module loaded by an executable that calls and causes a bufferoverflow.' mean that the 'monitoringhost.exe' has no impact.

Is it because monitoringhost.exe is not a caller module?

Sorry for any ignorance, I couldn't find much documentation around the caller module section of exclusions.

0 Kudos
Reply
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 8 of 9
‎10-21-2020 01:28 PM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution

Hello @CraigR1 

Thank you for your compliment and feel free to leave kudos on the post if you find it deserves it.

Now, MONITORINGHOST.EXE here is not caller module, it is parent process telling the child POWERSHELL.EXE to go and do something that is not allowed by signature.

Same violation can be achieved with CMD.EXE, where it, as parent, may tell its child, POWERSHELL.EXE, go ahead and execute some command and execution will be blocked, but CMD.EXE itself is not doing any violation.

Now when we are talking about caller module aka path to a module (for example, a DLL) loaded by an executable that calls and causes a bu΍eroverflow, that would be situation if MONITORINGHOST.EXE or CMD.EXE loads some DLL commands inside that DLL that is loaded inside of MONITORINGHOST.EXE or CMD.EXE are causing problems.

I hope I am explaining myself properly and I hope this helps.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Reply
CraigR1
Level 8
Report Inappropriate Content
Message 9 of 9
‎10-21-2020 03:54 PM

Re: Problem with exclusion for endpoint threat prevention->Exploit prevention.

Jump to solution
Brilliant, answers it really clearly. Appreciate it
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC