Mcafee/TIE: Definition 424 solves c:\Windows\assembly false/Positive detection

http://www.mcafee.com/us/resources/release-notes/threat-intelligence-exchange/tie-03-14-2016.pdf

https://community.mcafee.com/thread/88126

https://community.mcafee.com/thread/88837

 

The problem with the c:\Windows\assembly\Nativeimages seemed to be solved by update 424. These are Framework

Files Executables which are compiled in real time first usage. We have only seen that as example on Exchange CAS Servers before.

They time the first user logs onto OWA after an MSP Patch has that delay once. We had up to 6'000 Files per W7 client before that patch new

During March 2016 Patchday.

 

   

Rule 139 - Identify trusted DOT Net assemblies

 

Description:

 

This rule detects files that have CLR code (DOT Net) and have been installed into the global

Assembly cache folders. The files are present on multiple machines within the enterprise,

Indicating they are not just-in-time compiled assemblies.

 

Default State: Mandatory

 

Changes in this release

Changed how age and prevalence are handled in DOT Net validation algorithm 

   

 

Also there is a heavy update for Ransomware detection.

Rule 240 - Identify suspicious files with characteristics that have been predominantly seen in

Ransomware

 

Description:

 

Identify suspicious files with characteristics that have been predominantly seen in

ransomware, are in uncommonly used locations and less than 7 days old

 

Default State: Evaluate

Mcafee Endpoint 10 / VSE 10 Preview points

 

Some points for upcoming Mcafee VSE 10. You can run TIE/GTI integration today with VSE8.8 and Framework 5.X.

Check out some related links:

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

http://www.butsch.ch/post/Ransomware-Versions-who-spread-in-network-and-attack-locked-files-from-SQL-Servers-coming-up.aspx

 

Ransomware Schweiz: Mcafee TIE Threat Intelligence Exchange im Einsatz

Ransomware Schweiz, Switzerland, Suisse. Lösungen/Solutions.

Intelligente "Black/White-Listing" Technologie z.B. Mcafee TIE ist die derzeit einzige Lösung nebst ATD-Sandboxen um Ransomware/Epressungstrojaner in den Griff zu bekommen. (http://www.mcafee.com/de/products/threat-intelligence-exchange.aspx). Alles andere ist ein Gebastel und man rennt nur den Problemen nach statt diese zu lösen.

 

 

Proof of Concept soll zeigen wie Mcafee TIE unbekannte Dateien erkennt und soll zeigen, dass Directory welche wir im Virenschutz Modul VSE 8.X ausschliessen nicht vom TIE tangiert sind. Diese Ausnahmen gelten AUCH fuer TIE-Modul.

Proof of concept mit Test Datei welche wir anpassen

 

Wir nehmen ein EXEcutable z.B. Superscan.exe und Machen dies auf um es anzupassen.

 

Wir passen einige unrelevante Sachen mit eine HEX Editor im EXE an und speichern dies unter neuen Namen TIE_superscan.exe (HEX Editor z.B. http://hxd-hex-editor.soft32.com). Einfach die TEXT Partie "not be rund in DOS" anpassen.

 

Die Software superscan.exe ist im Mcafee TIE nicht vorhanden (Obwohl Foundstone von Mcafee/Intel gekauft wurde ;-). Ca. 75-80% Aller Binaries sind aber in der GTI/TIE Datenbank vorhanden. (Durchschnitt Windows 7 64BIT client mit ca. 80 Applikationen Schweiz).

 

Test client virtuel exclusions VSE (Normaler Virenschutz)

Der Folder c:\Geheim_geheim ist exlcuded da sonst z.B. Internet Explorer IEAK9/11 Setups aber auch andere Software beim Setup Probleme machen. Aber auch Driver fuer das Installieren des OS selber sind dort vorhanden. Dieser Folder wird nicht gescannt da man dort zu 100% Vertrauenswürdige Files hat. User hat dort keine Schreibrechte.

 

 

Im Mcafee TIE nicht sichtbar da in c:\geheim_geheim

Update Mcafee > Force senden Infos an EPO

 

Kopieren des Files in c:\temp und ausführen

Directory nicht Exlcuded und VSE > Daher TIE auch Scan

 

Alarm auf client und Block des Files beim Öffnen.

 

 

Umgehend auch OHNE Force Framework Agent sichtbar in Mcafee EPO TIE

 

Neue Datei unbekannt und Rating 50 > DAHER geblockt

 

Die anderen Werte welche zur Einstufung der Reputation heran gezogen werden sind noch nicht ermittelt worden. Da es sich um einen Installer handelt wird dies zudem anders gewichtet.

GTI (mcafee P2P/Cloud Datenbank) kennt das File noch nicht:

 

 

 

Anpassen der Reputation

 

Wir passen die Reputation des Files an da wir dieses File kennen und mit dem PLUGIN in TIE fuer VIRUSTOTAL.COM gescannt haben. Dies kann man durch einen Click auf einen Button automatisch machen lassen!

 

Nach dem Anpassen der Reputation von "Unknown" to "File Known Trusted" PLUS zusätzlich einem Rename des EXE (TIE_superscan.exe zu superscan.exe) wird das File ausgeführt. Damit TIE das Binary intelligent einstufen kann muss es längere Zeit und in mehreren Versionen in der Firma sein ODER die TIE/GTI cloud kennt es.

 

 

Anzeige in MCAFEE EPO Konsole (Enforcement Events)

 

Mcafee EPO Konsole, DASHBOARD

 

Weitere Links von uns:

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/Ransomware-Versions-who-spread-in-network-and-attack-locked-files-from-SQL-Servers-coming-up.aspx

 

SQL: Build Numbers and Express Limitations GB, Core, RAM > 2008R2-upwards

SQL: Build Numbers and Express Limitations GB, Core, RAM

http://sqlserverbuilds.blogspot.ch/

http://social.technet.microsoft.com/wiki/contents/articles/10790.sql-server-and-updates-builds-numbers.aspx

 

 

RTM (Gold, no SP)

SP1

SP2

SP3

SP4

 SQL Server 2016
     codename ?

RC0

    

 SQL Server 2014
     codename Hekaton SQL14

12.0.2000.8 12.00.2000.8

12.0.4100.1
or 12.1.4100.1

  

  

  

 SQL Server 2012
     codename Denali

11.0.2100.60 11.00.2100.60

11.0.3000.0
or 11.1.3000.0

11.0.5058.0
or 11.2.5058.0

11.0.6020.0
or 11.3.6020.0

  

 SQL Server 2008 R2
     codename Kilimanjaro

10.50.1600.1

10.50.2500.0
or 10.51.2500.0

10.50.4000.0
or 10.52.4000.0

10.50.6000.34
or 10.53.6000.34

  

 SQL Server 2008
     codename Katmai

10.0.1600.22 10.00.1600.22

10.0.2531.0 10.00.2531.0
or 10.1.2531.0

10.0.4000.0 10.00.4000.0
or 10.2.4000.0

10.0.5500.0 10.00.5500.0
or 10.3.5500.0

10.0.6000.29 10.00.6000.29
or 10.4.6000.29

 SQL Server 2005
     codename Yukon

9.0.1399.06 9.00.1399.06

9.0.2047 9.00.2047

9.0.3042 9.00.3042

9.0.4035 9.00.4035

9.0.5000 9.00.5000

 SQL Server 2000
     codename Shiloh

8.0.194 8.00.194

8.0.384 8.00.384

8.0.532 8.00.532

8.0.760 8.00.760

8.0.2039 8.00.2039

 SQL Server 7.0
     codename Sphinx

     

 

Limitation SQL Express Versionen:

Extract from:

http://social.technet.microsoft.com/wiki/contents/articles/10790.sql-server-and-updates-builds-numbers.aspx

 

SQL Server 2008 R2

 

Product name

Build number

Date

KB 

SQL Server 2008 R2 RTM

10.50.1600.1

  

  


For more information: The SQL Server 2008 R2 builds that were released after SQL Server 2008 R2 was released

SQL Server 2008 R2 Service Pack 1

 

Product name

Build number

Date

 KB

SQL Server 2008 R2 Service Pack 1

10.50.2500.0

07/11/2011

KB2528583

Cumulative update package 1 for SQL Server 2008 R2 Service Pack 1

10.50.2500.0

08/18/2011

KB2544793

Cumulative update package 2 for SQL Server 2008 R2 Service Pack 1

10.50.2769.0 

09/15/2011

KB2567714

Cumulative update package 3 for SQL Server 2008 R2 Service Pack 1

10.50.2772.0

10/17/2011

KB2591748 

Cumulative update package 4 for SQL Server 2008 R2 Service Pack 1

10.50.2789.0

12/19/2011

KB2633146

Cumulative update package 5 for SQL Server 2008 R2 Service Pack 1

10.50.2796.0

02/20/2012

KB2659694

Cumulative update package 6 for SQL Server 2008 R2 Service Pack 1

10.50.2806.0

04/16/2012

KB2679367


For more information: 

The SQL Server 2008 R2 builds that were released after SQL Server 2008 R2 Service Pack 1 was released

SQL Server 2008 R2 Service Pack 2

 

Product name

Build number

Date

KB 

 SQL Server® 2008 R2 Service Pack 2 Community Technology Preview

 10.50.3720.0

  

 KB2630455

  

  

  


For more information:

 The SQL Server 2008 R2 builds that were released after SQL Server 2008 R2 Service Pack 2 was released

SQL Server 2012

 

Product name

Build number

Date

KB 

SQL Server 2012 RTM

11.0.2100.60

  

  

Cumulative update package 1 for SQL Server 2012

11.0.2316.0

04/20/2012

KB2679368

Cumulative update package 2 for SQL Server 2012

11.0.2325.0

06/18/2012

KB2703275

Cumulative update package 3 for SQL Server 2012 

11.0.2332.0

08/31/2012 

 KB2723749

Cumulative update package 4 for SQL Server 2012 

11.0.2383.0

10/15/2012 

 KB2758687


For more information: 

The SQL Server 2012 builds that were released after SQL Server 2012 was released

SQL Server 2012 Service Pack 1

 

Product name

Build number

Date

KB 

SQL Server 2012 Service Pack 1

11.0.3000.00

08/11/2012

KB2674319  

    

 

Mcafee EPO: Error after TIE integration on EPO 5.3 in VSE Report

I

Error you see under the VSE TIE (Threat Intelligence Exchange) Report.

ERROR:

Error Message: The CUBE() and ROLLUP() grouping constructs are not allowed in the current compatibility mode. They are only allowed in 100 mode or higher.Error Message: The CUBE() and ROLLUP() grouping constructs are not allowed in the current compatibility mode. They are only allowed in 100 mode or higher.Error Message: The CUBE() and ROLLUP() grouping constructs are not allowed in the current compatibility mode. They are only allowed in 100 mode or higher.

 

 

10708

The CUBE () and ROLLUP() grouping constructs are not allowed in the current compatibility mode. They are only allowed in 100 mode or higher.

You cannot use CUBE () and ROLLUP () in 90 compatibility mode. Use WITH CUBE, WITH ROLLUP, or GROUPING SETS syntax.

https://technet.microsoft.com/en-us/library/bb510454(v=sql.105).aspx

 

Report that this happens

 

Our SQL Express was running 10.50.2500.0

 

https://kc.mcafee.com/corporate/index?page=content&id=KB76739

Under checks there is a hint.

Sadly the Upgrade Check tool they extra wrote to make sure things like this does not happen does not check that point!

Ensure the Compatibility level is set to 100 or higher for the ePO database

  1. Click StartProgramsMicrosoft SQL ServerSQL Server Management Studio.
  2. Right-click the ePO database and select Properties.
  3. Click Options and ensure Compatibility level is set to 100 rather than 80 or 90. If it is not, select 100 from the Compatibility level drop-down list and click OK.

Solution:

  • Take an VMWARE Snapshot
  • Take a Mcafee EPO Snapshot
  • Export DB to FILE with SQL Management Studio Express
  • Take down all Mcafee Services

Solution Change Compatibility Mode from 90 to 100

 

Restart EPO Server