cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Glenn_Bolton
Level 12
Report Inappropriate Content
Message 1 of 7
‎08-11-2020 08:32 AM

Status regarding Taidoor Malware

Jump to solution
We recently received an alert from the FBI and several other sources regarding Taidoor Malware. My management team is interested to know what levels of protection are in place given that we are running ENS 10.6.1. We are in the process of rolling out 10.7 (May update) and we would like any information that can be provided by McAfee regarding thsi current form of Malware: Example: (Current DAT coverage, Exploit Prevention, Access Protection, know file hash values, etc, Thank you.
Reply
1 Solution

Accepted Solutions
ryadav1
Employee
Employee
Report Inappropriate Content
Message 2 of 7
‎08-11-2020 05:34 PM

Re: Status regarding Taidoor Malware

Jump to solution

Hello ,

Please be informed that we already have coverage for this variant of Malware in our Production DAT / AMCore content  as well as GTI coverage. Kindly ensure your DAT / AMCore content is upto date 

Thank you .

McAfee Support .

View solution in original post

Reply
6 Replies
ryadav1
Employee
Employee
Report Inappropriate Content
Message 2 of 7
‎08-11-2020 05:34 PM

Re: Status regarding Taidoor Malware

Jump to solution

Hello ,

Please be informed that we already have coverage for this variant of Malware in our Production DAT / AMCore content  as well as GTI coverage. Kindly ensure your DAT / AMCore content is upto date 

Thank you .

McAfee Support .

Reply
Glenn_Bolton
Level 12
Report Inappropriate Content
Message 3 of 7
‎08-11-2020 07:16 PM

Re: Status regarding Taidoor Malware

Jump to solution

Thank you very much.

Glenn

0 Kudos
Reply
SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7
‎08-12-2020 06:01 AM

Re: Status regarding Taidoor Malware

Jump to solution

We strongly recommand you upscale to 10.7 latest version asap.

Also make sure you are aware of the different modules inkl. ATP / TIE Server.

The "Endpoint Security Advanced Threat Protection ATP" Module is free with the ENS licence new.

You can use it CLOUD-based or install a licences TIE-Server internal but only recommnded together with an ATP-Sandbox (Expensive but you need it these days....) With the TIE-Server you have more control and can aprove yourself or deny and also all info is kept on premise (Inhouse).

Greetings from Switzerland

 

 

 

 

Greetings from Switzerland
Reply
Glenn_Bolton
Level 12
Report Inappropriate Content
Message 5 of 7
‎08-12-2020 05:41 PM

Re: Status regarding Taidoor Malware

Jump to solution

We are in the process of upgrading  to ENS 10.7 and I recently implemented TIE and DXL.

I will be posting another message regarding how some powershell scripts are now being detected as malicious after upgrading to 10.7.

I hope you can review this and let me know you opinion.

Thank you again,

 

0 Kudos
Reply
SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7
‎08-13-2020 12:56 AM

Re: Status regarding Taidoor Malware

Jump to solution

Hello,

About the Powershell (If its not your code) check it on virustotal.com.

That INFO is also pulled by ENS ATP and also TIE. They seem to have a extreme large amount of false/Positive with virustotal.com because they integrated some new fresh scanners.

You can't turn ALL powershell Options in the EXPLOIT Modul on. Some are impossible to use in an example develelopment enviroment company.

Greetings from switzerland

Greetings from Switzerland
0 Kudos
Reply
Glenn_Bolton
Level 12
Report Inappropriate Content
Message 7 of 7
‎08-13-2020 05:05 AM

Re: Status regarding Taidoor Malware

Jump to solution

Thank you again...I may add a separate post on how best to manage Powereshell Script issues. Since implementing ATP as part of ENS 10.6.1,  we have seen some strange detections related to certain Powershell scripts. Adding the actual script as an exclusion resolved the issue for OAS.

In the latest case, ATP is in "Enable Mode" yet the description results state:

"Adaptive Threat Protection would have repaired C:\Windows\ccmcache\5m\GUI.ps1 based on its reputation (Known Malicious), but didn't because Observe mode is enabled."

 

Additional notes:

Threat Source Process Name: powershell.exe

Event Category: Malware detected using heuristics

Threat Name: Real Protect-PSL!5077131b8a83

Threat Type: Trojan

Action Taken: Adaptive Threat Protection Would Clean

Threat Handled: True

Analyzer Detection Method: Real Protect Client

Module Name: Adaptive Threat Protection

Rule Description: No rule affected this reputation

 

 

Thank you!

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC