Site of promotion
https://www.comss.ru/page.php?id=6131
Event
  • Other type of event
  • Instructions
    Get it from McAfee Endpoint Security
    Extract the components you want to install , run setup, install,done .

    Vitali Ortzi

    Level 13
    changing rule assignment to security isolates all unknown files, changing the dynamic application containment rules to "block" blocks console programs because they call conhost.exe.

    View attachment 240841

    ATP on default settings also blocks ransominator since it calls certutil
    I remembered SEP on default failed by ransominator.
    MacAfee Is definitely stronger on default settings.
     

    Nagisa

    Level 3
    Verified
    Send me screenshots of which settings you want and I'll test it
    1.PNG
    2.PNG
    3.PNG
    4.PNG
    5.PNG

    @Vitali Ortzi Btw, Both the comss.ru version and the one that I downloaded from the direct link shows the same about screen. Client is self-managed but TP, ATP, Web filter, Firewall is trial - active on both versions.

    @geminis3 It would be god's work to test both SEP and MEP at the malwarehub, to see which one is better than other. I would like to test it myself with SEP but I lack experience in malware testing.
     
    Last edited by a moderator:

    geminis3

    Level 11
    Verified
    Malware Tester
    @Vitali Ortzi Btw, Both the comss.ru version and the one that I downloaded from the direct link shows the same about screen. Client is self-managed but TP, ATP, Web filter, Firewall is trial - active on both versions.

    @geminis3 It would be god's work to test both SEP and MEP at the malwarehub, to see which one is better than other. I would like to test it myself with SEP but I lack experience in malware testing.
    if you know how to work with VMs and things like that without infecting yourself, you can apply to the hub
     
    Last edited:

    Chri.Mi

    Level 7
    changing rule assignment to security isolates all unknown files, changing the dynamic application containment rules to "block" blocks console programs because they call conhost.exe.

    View attachment 240841

    ATP on default settings also blocks ransominator since it calls certutil

    EDIT: that config contains the original ransominator (calls local 7z copy) but doesn't stops it, will do further tests
    in the picture u dont have select to block with dynamic application containment, is set to report only. There are more under threat prevention and ATP that u can set to block. Also u can increase many voice to high lvl or very high lvl heuristics. If u test sites for physing etc, under web control u can set to block red yellow and unrecognized sites, so only trusted will be allow. Remember to block observe mode from various settings like AMSI otherwise it will no block nothing. If u copy my settings u can set the program at decent lvl (i made that for security + report). Later i switched for just block option, without reports. Dont know mcafee use so bad default settings.

    Ehm when i post screenshots many settings was on low... but u can increase to high or very high heuristics for max settings.

    Why network intrusion block after 900 sec instead of 1 sec and i would use trigger application containment when reputation is unknown. The rest seems k

    @geminis3
    Hey just for understand... my english is not well. Your ransominator was blocked if set to block? Or it did escape cause 7zip was trusted?
     
    Last edited:

    geminis3

    Level 11
    Verified
    Malware Tester
    @geminis3
    Hey just for understand... my english is not well. Your ransominator was blocked if set to block? Or it did escape cause 7zip was trusted?
    All C console applications call CMD (conhost.exe) so setting all those rules to block prevent any console application with unknown reputation from running.

    Disabling the "execute child processes" rule allows console applications to run but seems that 7z is whitelisted so all the other rules are ignored, interestingly it blocked ransominator from creating the ransom note (readme.txt) since it triggered some of the rules.

    PD: English is not my main language but I try to do my best
     

    Pat MacKnife

    Level 10
    Verified
    I will follow this thread, i also installed McAfee ENS because i have a license from school where my daughter goes to school.
    I don't test with malware, but like to tweak it a little :)
    Installed an older version ( 10.6 ) about 2 months ago, but didn't update properly, now i asked the software academy to set latest version on the download page and give it another try.
     
    Last edited:

    Nagisa

    Level 3
    Verified
    Unfortunately when i try to install it on my old Wind 7 laptop, it silently fails. I tried to look up at logs but all i couldn't find the problem. What does vscore mean?

    SEP looks like the only reliable and relatively light option coming after the Forticlient. I wish webroot could be better at 0-days by working harder on heuristics.
     

    Pat MacKnife

    Level 10
    Verified
    Can someone tell me what version McAfee Agent you have installed ? Here is 5.6.3.157 (you find it on the icon info
    I think i am behind from what i seen on McAfee website...
    Its important to be up-to-date because in a few days big Windows 10 2004 May update, you can read this document :
     
    Last edited:

    Chri.Mi

    Level 7
    Can someone tell me what version McAfee Agent you have installed ? Here is 5.6.3.157 (you find it on the icon info
    I think i am behind from what i seen on McAfee website...
    Its important to be up-to-date because in a few days big Windows 10 2004 May update, you can read this document :
    the same
     
    Top