Mcafee Exploit Prevention Content 9963

McAfee Exploit Prevention Content 9963

Release Notes | 2020-03-10

Content package version for – McAfee Endpoint Security Exploit Prevention: 10.6.0.9963* McAfee Host Intrusion Prevention: 8.0.0.9963 * Applicable on all versions of McAfee Endpoint Security Exploit Prevention including version 10.7.x

Note: McAfee V3 Virus Definition Updates (DATs) version 3786 or above is a mandatory prerequisite for this Exploit prevention content update on McAfee Endpoint Security versions 10.5.x and 10.6.x only. Refer to the below KB for more information: https://kc.mcafee.com/corporate/index?page=content&id=KB91867

Minimum Supported New Windows Signatures Product version Host Intrusion Endpoint Prevention Security Exploit Prevention Signature 6148: Malware Behavior: Windows EFS abuse 8.0.0 10.5.3 Description: (Content: - EFS or Encrypt file system is a Microsoft feature of NTFS that 10.6.0.9845) provides file-level encryption. This event indicates a malware attempt to encrypt files and folders using EFS. - The signature is Disabled by default.

Note: Customer can change the level/reaction-type of this signature based on their requirement. This signature is available on Endpoint Security Exploit Prevention product with content version 10.6.0.9845 onwards and is newly added for Host Intrusion Prevention product

Signature 6150: Malware Behavior: Trickbot malware activity detected 8.0.0 10.5.3 Description: (Content: - Trickbot is a banking trojan that targets user’s sensitive information 10.6.0.9906) and acts as a dropper for other malwares. This event indicates an attempt to drop malicious files on the user’s system using certain variant of Trickbot. - The signature is Disabled by default.

Note: Customer can change the level/reaction-type of this signature based on their requirement. This signature is available on Endpoint Security Exploit Prevention product with content version 10.6.0.9906 onwards and is newly added for Host Intrusion Prevention product

Signature 6151: Unmanaged Powershell Detected - II 8.0.0 10.5.3 Description: - This event indicates an attempt to launch unmanaged powershell. This is usually used by attackers to evade security mechanism applicable to powershell - The signature is Disabled by default.

Note: Customer can change the level/reaction-type of this signature based on their requirement.

Signature 6152: Unintended Lsass.exe access detected Not 10.5.4 Description: Applicable - This event indicates an attempt to access lsass process using mimikatz, using which an attacker can dump the credentials. - The signature is Disabled by default.

Note: Customer can change the level/reaction-type of this signature based on their requirement.

Signature 6153: Malware Behavior: Ryuk Ransomware activity detected Not 10.5.3 Description: Applicable - This event indicates an attempt to encrypt user’s files using certain variants of Ryuk Ransomware. - The signature is Disabled by default.

Note: Customer can change the level/reaction-type of this signature based on their requirement.

Signature 6154: LSASS memory read attempt to dump Credentials 8.0.0 10.5.0 Description: - The event indicates an attempt to access lsass memory by injecting mimikatz to the process, using which an attacker can dump the user’s credentials. - The signature is Disabled by default.

Note: Customer can change the level/reaction-type of this signature based on their requirement.

Note: Refer to the KB for the default Reaction-type associated with Signature severity level for all supported Product versions: https://kc.mcafee.com/corporate/index?page=content&id=KB90369

Minimum Supported Updated Windows Signatures Product version Host Endpoint Intrusion Security Prevention Exploit Prevention Bugfix: The default severity level of the below listed signatures is changed from Medium 8.0.0 10.5.3 to Disabled as a part of the signature clean up activity. Please note that this change is applicable for all versions of Host Intrusion Prevention and Endpoint Security Exploit Prevention products.

Signature S.No. Id Signature Name 1 960 Msgina.dll File Modified 2 2240 Windows Metafile Denial of Service Vulnerability (2) Microsoft KB978262 Critical Cumulative Security Update of 3 2252 ActiveX Kill Bits Vulnerability in Microsoft Data Analyzer ActiveX Control 4 2260 Could Allow Remote Code Execution Vulnerability in Microsoft Internet Explorer 8 Developer 5 2261 Tools Could Allow Remote Code Execution 6 2266 Access ActiveX Control Vulnerability 7 2267 ACCWIZ.dll Uninitialized Variable Vulnerability Vulnerability in Netlogon RPC Service Could Allow Denial of 8 2280 Service 9 2285 Active Directory SPN Validation Vulnerability 10 2660 IE Envelope - HTML Application Execution 11 2664 IE Envelope - Windows Help Execution 12 2720 Outlook Envelope - Windows Executable Mod. 13 2721 Outlook Envelope - Abnormal Executable Mod. 14 2760 Outlook Envelope - HTML Application Execution 15 2761 Outlook Envelope - Suspicious Executable Mod. 16 2762 Outlook Envelope - Compiled Help File Execution 17 2763 Outlook Envelope - NTVDM Execution 18 2779 TDSS Rootkit Infection 19 2834 Java - Creation of suspicious files in Temp folder 20 3754 Illegal Execution in winword.exe 21 3763 Windows Kernel Elevation of Privilege Vulnerability 22 3779 Windows IE ADODB.Connection Vulnerability Vulnerability in Microsoft Agent Could Allow Remote Code 23 3784 Execution 24 3809 Microsoft Outlook VEVENT Vulnerability 25 3819 Vulnerability in HTML Help ActiveX Control 26 3821 Vulnerability in Microsoft Word Macro Security

27 3826 Multiple buffer overflows in the SupportSoft ActiveX controls 28 3831 Windows IE ADODB.Recordset Vulnerability

Vulnerability in RealPlayer ActiveX Control Could Allow 29 3869 Remote Code Execution

Vulnerability in Microsoft Office Web Components ActiveX 30 3912 Control Could Allow Remote Code Execution 31 3922 Illegal Execution in Microsoft Excel

Microsoft Visual Studio Msmask32 ActiveX Control Could 32 3941 Allow Remote Code Execution Novell iPrint Client ActiveX Control Stack Buffer Overflow 33 3952 Vulnerability ComponentOne VSFlexGrid v. 7/8 ActiveX Control 'Archive()' 34 3954 method Local Buffer Overflow Vulnerability 35 3956 VMWare COM API Remote Buffer Overflow Vulnerability 36 3957 Microsoft KB956391 Cumulative Update of ActiveX Kill Bits 37 6033 Shortcut Icon Loading Vulnerability 38 6047 Illegal Execution - Writable Memory 39 6049 Suspicious Function Invocation - No Module 40 6054 VLC - Suspicious Function Invocation 41 6078 Mimikatz usage 42 6108 Powershell - Suspicious downloadstring script execution 43 6109 Powershell - Suspicious wmi script execution

Note: Customer can change the level/reaction-type of this signature based on their requirement. Refer to the KB for the default Reaction-type associated with Signature severity level for all supported Product versions: https://kc.mcafee.com/corporate/index?page=content&id=KB90369

Bugfix: The below signatures are modified to reduce the false positives 8.0.0 10.5.3

Signature S.No. ID Signature Name 1 6070 Hidden Powershell Detected 2 6073 Execution Policy Bypass in Powershell 3 6081 Powershell Command Restriction - NoProfile Powershell Command Restriction - ExecutionPolicy 4 6082 Unrestricted 5 6083 Powershell Command Restriction - NonInteractive 6 6084 Powershell Command Restriction - NoLogo 7 6085 Powershell Command Restriction - File 8 6086 Powershell Command Restriction - Command 9 6087 Powershell Command Restriction - EncodedCommand 10 6096 Powershell Command Restriction - InvokeExpression 11 6108 Powershell - Suspicious downloadstring script execution 12 6109 Powershell - Suspicious wmi script execution

Minimum Supported Updated Non-Windows Signatures Product version Host Intrusion Prevention Signature 1051: Linux Agent Shielding - File Mod 8.0.0 Description: - The signature has been modified to reduce the false positives.

Minimum Supported Existing coverage for New Vulnerabilities Product version Host Intrusion Endpoint Prevention Security Exploit Prevention Coverage by GBOP: GBOP Signatures 428, 1146, 6012, 6013, 6014 and 6048 8.0.0 10.5.0 are expected to cover the below vulnerabilities: - CVE-2020-0824 - CVE-2020-0832 - CVE-2020-0833 - CVE-2020-0847

Coverage by GBOP: GBOP Signatures 428, 1146, 6012, 6013, 6014 and 6048 8.0.0 10.5.0 are expected to cover the below vulnerabilities: - CVE-2020-3804 - CVE-2020-3805

Coverage by GPEP: Generic Privilege Escalation Prevention (Signature 6052) 8.0.0 10.5.0 is expected to cover the below vulnerabilities: - CVE-2020-0788 - CVE-2020-0791 - CVE-2020-0799 - CVE-2020-0877 - CVE-2020-0887 - CVE-2020-0898

How to Update

Please find below the KB article reference on how to update the content for following

products: 1. McAfee Endpoint Security Exploit Prevention: https://kc.mcafee.com/corporate/index?page=content&id=KB92136 2. McAfee Host Intrusion Prevention: https://kc.mcafee.com/corporate/index?page=content&id=KB53092