McAfee Exploit Prevention Linux Content 00154 Release Notes | 2020-02-23 Content package version for – McAfee Endpoint Security Exploit Prevention for Linux: 10.7.0.001541 1 - Applicable on McAfee Endpoint Security for Linux for versions 10.7.2 and later Minimum Supported Product version New Linux Signatures Endpoint Security Exploit Prevention for Linux Signature 50007: T1564.001 - Hidden file created in a hidden directory 10.7.2 Description: - This event indicates a hidden file created in a hidden directory. This rule detects the atomic tests that exercise the same techniques used by the adversaries. Associated Mitre Technique ID: T1564.001 and Mitre Technique Name: Hide Artifacts: Hidden Files and Directories. - The signature is disabled by default. Note: Customer can change the level/reaction-type of this signature based on their requirement. This is a monitoring/telemetry signature and customers are advised to fine tune the signature based on the applications used in their environment or to disable the signature in case of false positives. Signature 50008: Attack attempt detected for Wowza Streaming Engine Insecure 10.7.2 Permissions Description: - Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to escalate privileges in the Linux version of the server by writing arbitrary commands in any file and execute them with root privileges. - The signature is disabled by default. Note: Customer can change the level/reaction-type of this signature based on their requirement Signature 50009: Linux Java Envelope - Starting suspicious process from Temp folder 10.7.2 Description: - This event indicates an attempt by Java to execute a suspicious application from temporary folder. - The signature is disabled by default. Note: Customer can change the level/reaction-type of this signature based on their requirement This is a monitoring/telemetry signature and customers are advised to fine tune the signature based on the applications used in their environment or to disable the signature in case of false positives. Signature 50010: Linux Java Envelope - Creation of suspicious files in Temp folder 10.7.2 Description: - This event indicates an attempt by Java to create suspicious files in temp folder. - The signature is disabled by default. Note: Customer can change the level/reaction-type of this signature based on their requirement This is a monitoring/telemetry signature and customers are advised to fine tune the signature based on the applications used in their environment or to disable the signature in case of false positives. Signature 50011: Linux Java Envelope - Creation of suspicious files in Temp folder II 10.7.2 Description : - This event indicates an attempt by Java to create files associated with exploit toolkit like metasploit in temp folder. - The signature is disabled by default. Note: Customer can change the level/reaction-type of this signature based on their requirement This is a monitoring/telemetry signature and customers are advised to fine tune the signature based on the applications used in their environment or to disable the signature in case of false positives. Signature 50012: Linux - Vulnerability in mysql could allow Elevation of Privileges via 10.7.2 symlink attacks Description: - This event could indicate an attempt to exploit a vulnerability in mysql that could allow attackers to cause an Elevation of Privileges (EoP) attack. This signature prevents other applications from accessing the files created by mysql. - The signature is disabled by default. Note: Customer can change the level/reaction-type of this signature based on their requirement Signature 50013: Linux - MySQL Aborted Bug Report Insecure Temporary File Creation 10.7.2 Vulnerability Description: - This event indicates an attempt to exploit a vulnerability in MySQL Aborted Bug Report. This signature prevents /tmp/failed-mysql-bugreport from link and symlink attack by non-root user. - The signature is disabled by default. Note: Customer can change the level/reaction-type of this signature based on their requirement NOTE: Refer to the KB for the default Reaction-type associated with Signature severity level for all supported Product versions: https://kc.mcafee.com/corporate/index?page=content&id=KB90369 How to Update Please find below the KB article reference on how to update the content for following products: 1. McAfee Endpoint Security Exploit Prevention: https://kc.mcafee.com/corporate/index?page=content&id=KB92136 .