Site of promotion
https://www.comss.ru/page.php?id=6131
Event
  1. Other type of event
Instructions
Get it from McAfee Endpoint Security
Extract the components you want to install , run setup, install,done .

Vitali Ortzi

Level 20
Verified
changing rule assignment to security isolates all unknown files, changing the dynamic application containment rules to "block" blocks console programs because they call conhost.exe.

View attachment 240841

ATP on default settings also blocks ransominator since it calls certutil
I remembered SEP on default failed by ransominator.
MacAfee Is definitely stronger on default settings.
 

geminis3

Level 16
Verified
Malware Tester
unblocking the excute child processes rules allow C programs to run contained, seems that Mcafee only applies the other rules to the parent process (ransominator) and not to the child ones which are trusted (7zip in this case)

1590185287129.png
 

Nagisa

Level 5
Verified
Send me screenshots of which settings you want and I'll test it

1.PNG
2.PNG
3.PNG
4.PNG
5.PNG

@Vitali Ortzi Btw, Both the comss.ru version and the one that I downloaded from the direct link shows the same about screen. Client is self-managed but TP, ATP, Web filter, Firewall is trial - active on both versions.

@geminis3 It would be god's work to test both SEP and MEP at the malwarehub, to see which one is better than other. I would like to test it myself with SEP but I lack experience in malware testing.
 
Last edited by a moderator:

geminis3

Level 16
Verified
Malware Tester
@Vitali Ortzi Btw, Both the comss.ru version and the one that I downloaded from the direct link shows the same about screen. Client is self-managed but TP, ATP, Web filter, Firewall is trial - active on both versions.

@geminis3 It would be god's work to test both SEP and MEP at the malwarehub, to see which one is better than other. I would like to test it myself with SEP but I lack experience in malware testing.
if you know how to work with VMs and things like that without infecting yourself, you can apply to the hub
 
Last edited:

Chri.Mi

Level 7
changing rule assignment to security isolates all unknown files, changing the dynamic application containment rules to "block" blocks console programs because they call conhost.exe.

View attachment 240841

ATP on default settings also blocks ransominator since it calls certutil

EDIT: that config contains the original ransominator (calls local 7z copy) but doesn't stops it, will do further tests
in the picture u dont have select to block with dynamic application containment, is set to report only. There are more under threat prevention and ATP that u can set to block. Also u can increase many voice to high lvl or very high lvl heuristics. If u test sites for physing etc, under web control u can set to block red yellow and unrecognized sites, so only trusted will be allow. Remember to block observe mode from various settings like AMSI otherwise it will no block nothing. If u copy my settings u can set the program at decent lvl (i made that for security + report). Later i switched for just block option, without reports. Dont know mcafee use so bad default settings.

Ehm when i post screenshots many settings was on low... but u can increase to high or very high heuristics for max settings.

Why network intrusion block after 900 sec instead of 1 sec and i would use trigger application containment when reputation is unknown. The rest seems k

@geminis3
Hey just for understand... my english is not well. Your ransominator was blocked if set to block? Or it did escape cause 7zip was trusted?
 
Last edited:

geminis3

Level 16
Verified
Malware Tester
@geminis3
Hey just for understand... my english is not well. Your ransominator was blocked if set to block? Or it did escape cause 7zip was trusted?
All C console applications call CMD (conhost.exe) so setting all those rules to block prevent any console application with unknown reputation from running.

Disabling the "execute child processes" rule allows console applications to run but seems that 7z is whitelisted so all the other rules are ignored, interestingly it blocked ransominator from creating the ransom note (readme.txt) since it triggered some of the rules.

PD: English is not my main language but I try to do my best
 

Pat MacKnife

Level 10
Verified
I will follow this thread, i also installed McAfee ENS because i have a license from school where my daughter goes to school.
I don't test with malware, but like to tweak it a little :)
Installed an older version ( 10.6 ) about 2 months ago, but didn't update properly, now i asked the software academy to set latest version on the download page and give it another try.
 
Last edited:

Pat MacKnife

Level 10
Verified
Can someone tell me what version McAfee Agent you have installed ? Here is 5.6.3.157 (you find it on the icon info
I think i am behind from what i seen on McAfee website...
Its important to be up-to-date because in a few days big Windows 10 2004 May update, you can read this document :
 
Last edited:

Chri.Mi

Level 7
Can someone tell me what version McAfee Agent you have installed ? Here is 5.6.3.157 (you find it on the icon info
I think i am behind from what i seen on McAfee website...
Its important to be up-to-date because in a few days big Windows 10 2004 May update, you can read this document :
the same
 

Pat MacKnife

Level 10
Verified
So it seems that ENS need an update for McAfee agent (recommended) for Windows 10 2004 May update, if i don't have latest version i think i will uninstall ENS before updating my Machine to Windows 10 2004 (not sure i will continue to use ENS , because that organisation lacks updating the clients)
 

geminis3

Level 16
Verified
Malware Tester
Can someone tell me what version McAfee Agent you have installed ? Here is 5.6.3.157 (you find it on the icon info
I think i am behind from what i seen on McAfee website...
Its important to be up-to-date because in a few days big Windows 10 2004 May update, you can read this document :
yep

1590335322021.png


PD: I used an installer from another source, that's why it's licensed
PD2: This is my malware testing VM, it has 4GB of RAM and McAfee doesn't uses too much ram in this system

1590335411448.png