McAfee Exploit Prevention Content 9963
Release Notes |
2020-03-10
Content package version for –
McAfee Endpoint Security Exploit Prevention: 10.6.0.9963*
McAfee Host Intrusion Prevention: 8.0.0.9963
* Applicable on all versions of McAfee Endpoint Security Exploit Prevention including version 10.7.x
Note: McAfee V3 Virus Definition Updates (DATs) version 3786 or above is a mandatory
prerequisite for this Exploit prevention content update on McAfee Endpoint Security versions
10.5.x and 10.6.x only. Refer to the below KB for more information:
https://kc.mcafee.com/corporate/index?page=content&id=KB91867
New Windows Signatures
Minimum Supported
Product version
Host Intrusion
Prevention
Endpoint
Security Exploit
Prevention
Signature 6148: Malware Behavior: Windows EFS abuse
Description:
- EFS or Encrypt file system is a Microsoft feature of NTFS that
provides file-level encryption. This event indicates a malware
attempt to encrypt files and folders using EFS.
- The signature is Disabled by default.
Note: Customer can change the level/reaction-type of this signature based on
their requirement.
This signature is available on Endpoint Security Exploit Prevention product with
content version 10.6.0.9845 onwards and is newly added for Host Intrusion
Prevention product
8.0.0 10.5.3
(Content:
10.6.0.9845)
Signature 6150: Malware Behavior: Trickbot malware activity detected
Description:
- Trickbot is a banking trojan that targets user’s sensitive information
and acts as a dropper for other malwares. This event indicates an
attempt to drop malicious files on the user’s system using certain
variant of Trickbot.
- The signature is Disabled by default.
Note: Customer can change the level/reaction-type of this signature based on
their requirement.
8.0.0 10.5.3
(Content:
10.6.0.9906)
This signature
is available on Endpoint Security Exploit Prevention product with
content version 10.6.0.9906 onwards and is newly added for Host Intrusion
Prevention product
Signature 6151: Unmanaged Powershell Detected - II
Description:
- This event indicates an attempt to launch unmanaged powershell.
This is usually used by attackers to evade security mechanism
applicable to powershell
- The signature is Disabled by default.
Note: Customer can change the level/reaction-type of this signature based on
their requirement.
8.0.0 10.5.3
Signature 6152: Unintended Lsass.exe access detected
Description:
- This event indicates an attempt to access lsass process using
mimikatz, using which an attacker can dump the credentials.
- The signature is Disabled by default.
Note: Customer can change the level/reaction-type of this signature based on
their requirement.
Not
Applicable
10.5.4
Signature 6153: Malware Behavior: Ryuk Ransomware activity detected
Description:
- This event indicates an attempt to encrypt user’s files using certain
variants of Ryuk Ransomware.
- The signature is Disabled by default.
Note: Customer can change the level/reaction-type of this signature based on
their requirement.
Not
Applicable
10.5.3
Signature 6154: LSASS memory read attempt to dump Credentials
Description:
- The event indicates an attempt to access lsass memory by injecting
mimikatz to the process, using which an attacker can dump the
user’s credentials.
- The signature is Disabled by default.
Note: Customer can change the level/reaction-type of this signature based on
their requirement.
8.0.0 10.5.0
Note: Refer to the KB for the default Reaction-type associated with Signature severity level for all
supported Product versions:
https://kc.mcafee.com/corporate/index?page=content&id=KB90369
Updated Windows Signatures
Minimum Supported
Product version
Host
Intrusion
Prevention
Endpoint
Security
Exploit
Prevention
Bugfix: The default severity level of the below listed signatures is changed from Medium
to Disabled as a part of the signature clean up activity.
Please note that this change is applicable for all versions of Host Intrusion Prevention
and Endpoint Security Exploit Prevention products.
S.No.
Signature
Id Signature Name
1 960 Msgina.dll File Modified
2 2240 Windows Metafile Denial of Service Vulnerability (2)
3 2252
Microsoft KB978262 Critical Cumulative Security Update of
ActiveX Kill Bits
4 2260
Vulnerability in Microsoft Data Analyzer ActiveX Control
Could Allow Remote Code Execution
5 2261
Vulnerability in Microsoft Internet Explorer 8 Developer
Tools Could Allow Remote Code Execution
6 2266 Access ActiveX Control Vulnerability
7 2267 ACCWIZ.dll Uninitialized Variable Vulnerability
8 2280
Vulnerability in Netlogon RPC Service Could Allow Denial of
Service
9 2285 Active Directory SPN Validation Vulnerability
10 2660 IE Envelope - HTML Application Execution
11 2664 IE Envelope - Windows Help Execution
12 2720 Outlook Envelope - Windows Executable Mod.
13 2721 Outlook Envelope - Abnormal Executable Mod.
14 2760 Outlook Envelope - HTML Application Execution
15 2761 Outlook Envelope - Suspicious Executable Mod.
16 2762 Outlook Envelope - Compiled Help File Execution
17 2763 Outlook Envelope - NTVDM Execution
18 2779 TDSS Rootkit Infection
19 2834 Java - Creation of suspicious files in Temp folder
20 3754 Illegal Execution in winword.exe
21 3763 Windows Kernel Elevation of Privilege Vulnerability
22 3779 Windows IE ADODB.Connection Vulnerability
23 3784
Vulnerability in Microsoft Agent Could Allow Remote Code
Execution
24 3809 Microsoft Outlook VEVENT Vulnerability
25 3819 Vulnerability in HTML Help ActiveX Control
26 3821 Vulnerability in Microsoft Word Macro Security
27 3826 Multiple buffer overflows in the SupportSoft ActiveX controls
28 3831 Windows IE ADODB.Recordset Vulnerability
29 3869
Vulnerability in RealPlayer ActiveX Control Could Allow
Remote Code Execution
30 3912
Vulnerability in Microsoft Office Web Components ActiveX
Control Could Allow Remote Code Execution
31 3922 Illegal Execution in Microsoft Excel
32 3941
Microsoft Visual Studio Msmask32 ActiveX Control Could
Allow Remote Code Execution
8.0.0 10.5.3
33 3952
Novell iPrint Client ActiveX Control Stack Buffer Overflow
Vulnerability
34 3954
ComponentOne VSFlexGrid v. 7/8 ActiveX Control 'Archive()'
method Local Buffer Overflow Vulnerability
35 3956 VMWare COM API Remote Buffer Overflow Vulnerability
36 3957 Microsoft KB956391 Cumulative Update of ActiveX Kill Bits
37 6033 Shortcut Icon Loading Vulnerability
38 6047 Illegal Execution - Writable Memory
39 6049 Suspicious Function Invocation - No Module
40 6054 VLC - Suspicious Function Invocation
41 6078 Mimikatz usage
42 6108 Powershell - Suspicious downloadstring script execution
43 6109 Powershell - Suspicious wmi script execution
Note: Customer can change the level/reaction-type of this signature based on their
requirement.
Refer to the KB for the default Reaction-type associated with Signature severity level for
all supported Product versions:
https://kc.mcafee.com/corporate/index?page=content&id=KB90369
Bugfix: The below signatures are modified to reduce the false positives
S.No.
Signature
ID Signature Name
1 6070 Hidden Powershell Detected
2 6073 Execution Policy Bypass in Powershell
3 6081 Powershell Command Restriction - NoProfile
4 6082
Powershell Command Restriction - ExecutionPolicy
Unrestricted
5 6083 Powershell Command Restriction - NonInteractive
6 6084 Powershell Command Restriction - NoLogo
7 6085 Powershell Command Restriction - File
8 6086 Powershell Command Restriction - Command
9 6087 Powershell Command Restriction - EncodedCommand
10 6096 Powershell Command Restriction - InvokeExpression
11 6108 Powershell - Suspicious downloadstring script execution
12 6109 Powershell - Suspicious wmi script execution
8.0.0 10.5.3
Updated Non-Windows Signatures
Minimum Supported
Product version
Host Intrusion Prevention
Signature 1051: Linux Agent Shielding - File Mod
Description:
- The signature has been modified to reduce the false positives.
8.0.0
Existing coverage for New Vulnerabilities
Minimum Supported
Product version
Host Intrusion
Prevention
Endpoint
Security Exploit
Prevention
Coverage by GBOP: GBOP Signatures 428, 1146, 6012, 6013, 6014 and 6048
are expected to cover the below vulnerabilities:
- CVE-2020-0824
- CVE-2020-0832
- CVE-2020-0833
- CVE-2020-0847
Coverage by GBOP: GBOP Signatures 428, 1146, 6012, 6013, 6014 and 6048
are expected to cover the below vulnerabilities:
- CVE-2020-3804
- CVE-2020-3805
Coverage by GPEP: Generic Privilege Escalation Prevention (Signature 6052)
is expected to cover the below vulnerabilities:
- CVE-2020-0788
- CVE-2020-0791
- CVE-2020-0799
- CVE-2020-0877
- CVE-2020-0887
- CVE-2020-0898
8.0.0
8.0.0
8.0.0
10.5.0
10.5.0
10.5.0
How to Update
Please find below the KB article reference on how to update the content for following
products:
1. McAfee Endpoint Security Exploit Prevention:
https://kc.mcafee.com/corporate/index?page=content&id=KB92136
2. McAfee Host Intrusion Prevention:
https://kc.mcafee.com/corporate/index?page=content&id=KB53092
