Community Help Hub

GCDC · ‎03-01-2023

I try upgrade Treelix anget but It is not posible because ENS blocked the upgrade. We have found that ENS block msiexec to modify file and registry of Treellix installation.

The locks are:

- Exploit prevention. LOG-

Spoiler

XModuleEvents.cpp(851) | NT AUTHORITY\SYSTEM ran C:\Windows\System32\msiexec.exe, which tried to access HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\MCAFEEUPDATERUI\"C:\Program Files\McAfee\Agent\x86\UpdaterUI.exe" /StartedFromRunKey, violating the rule "T1547 - New Startup Program Creation", and was blocked. For information about how to respond to this event, see KB85494.

- SelftProteccion LOG-

Spoiler

NT AUTHORITY\SYSTEM ran C:\Windows\System32\msiexec.exe, which tried to access C:\ProgramData\McAfee\, violating the rule "Core Protection - Protect core Trellix files and folders", and was blocked. For information about how to respond to this event, see KB85494. NT AUTHORITY\SYSTEM ran C:\Windows\System32\msiexec.exe, which tried to access C:\ProgramData\McAfee\, violating the rule "Adaptive Threat Protection - Protect core McAfee files and folders", and was blocked. For information about how to respond to this event, see KB85494.

We could allow msiexec globally but I think it is not safe. Is it possible to enable it only for Trellix products installed by ePo?

Data:

Old Agent Version - 5.7.5.504

New Agent Version - 5.7.8.262

ENS Version - 10.7

ePo Version - 5.10 Update 15

hnegishi · ‎03-03-2023

Hi @GCDC

Apologies for the delayed reply.

msiexec.exe in your PC might not been trusted by ENS.

You might need to do Windows Update and update Root Cert that described following article.

https://kcm.trellix.com/corporate/index?page=content&id=KB91697

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Pravas · ‎03-04-2023

Hi @GCDC ,

Exploit Prevention Rule ID 344 i.e. T1547 - New Startup Program Creation, is designed to block applications from registering themselves in startup/logon such as HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\.

This is a common behavior by legitimate application but also seen with malicious executables.

In this case you could take the following approach.

1. Add an exclusions for msiexec including its path. [Note:- This also bypasses misexec from all other Exploit Prevention Rules]

2. Disable Rule ID 344.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

GCDC · ‎03-10-2023

Very Thank.

I'm going to read the articles and do tests.

GCDC · ‎03-14-2023

We import Registry by Gpo, from this KB91697, and KB92948 (cert) but It won´t work.

ueno · ‎03-14-2023

Hi @GCDC ,

If you have already installed root certificate which is needed by ENS from KB91697, You should try to reset VTP service with the following steps. VTP service is used to check if a module is trusted or not.

1. Start a command prompt with administrator privileges.
2. Enter the following command.
> cd C:\Program Files\Common Files\McAfee\SystemCore
3. Enter the following command
> vtpinfo.exe /resetvtpcache

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Trellix Agent upgrade is blocked by ENS

Re: Trellix Agent upgrade is blocked by ENS

Re: Trellix Agent upgrade is blocked by ENS

Re: Trellix Agent upgrade is blocked by ENS

Re: Trellix Agent upgrade is blocked by ENS

Re: Trellix Agent upgrade is blocked by ENS

Community Help Hub

Join the Community