Spectre – Meltdown - MS Bluescreen - Microsoft says AV producer has to Set Registry Flag

06.01.2018, 01:33 CET, Europe

Do not set the specific Registry key that Microsoft announced a few days ago manual until you checked 100% and understood what it does. This was wrongly interpreted and understood by several blogs and even larger news agencies. The way it should be done (As seen by Microsoft on Friday) is that the Antivirus producer will set the specific registry flag key which will make the Update available to you by download from Windows Update direct. You can also download from Windows Update catalog if you did this THEN (This weekend) on one machine. We recommend waiting with patching W7/W10 until Monday and this is clearer.

From our point of view it's unclear as example what people with W10, 1709 Fall Creators Update with Edge in Hypervisor Sandbox and Windows Defender should do (And thus no other AV software)?

There all comes from Microsoft? Anybody seen that update there?

 

Attention:

Microsoft clearly states that there have been Bluescreen on some machines. A thing most of you forgot and did not see since years. Several blogs the specific update caused problems even while installing. They only way to install it via wusa.exe and command line PLUS at the end kill server hanging tasks with scripts.

 

Note Customers will not receive the January 3, 2018, security updates and will not be protected from current security vulnerabilities unless their antivirus software sets the following registry key:

Microsoft has identified a compatibility issue with a small number of antivirus software products.

The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors that are caused by incompatible antivirus applications, Microsoft is only offering the Windows security updates that were released on January 3, 2018, to devices that are running antivirus software that is from partners who have confirmed that their software is compatible with the January 2018 Windows operating system security update.

If you have not been offered the security update, you may be running incompatible antivirus software, and you should consult the software vendor.

Microsoft is working closely with antivirus software partners to ensure that all customers receive the January Windows security updates as soon as possible.

More Information

Note Customers will not receive the January 3, 2018, security updates and will not be protected from current security vulnerabilities unless their antivirus software sets the following registry key:

Do not set the Specific Registry key that Microsoft announced a few days ago manual and if so ONLY if you validated that all your security products are compatible and listed on producer special KB or blog entry.

As per MS the producer of the AV Software has to do so after final testing

Key=HKEY_LOCAL_MACHINE

key=SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat

Value=cadca5fe-87d3-4b96-b7fb-a231484277cc

Type=REG_DWORD

 

Since we recommend Mcafee here is there actual list which runs fine with the Update.

Mcafee 06.01.2018

The following products have been tested and are confirmed as compatible

Testing is ongoing for all McAfee products and no compatibility issues with the Microsoft update have been found so far. We expect all of our testing to be complete on endpoint products by End of Day Monday, January 8th.

 

* Data Exchange Layer (DXL) 3.1.0 and later

* Data Loss Prevention 9.4 and later

* Drive Encryption 7.0 and later

* ePolicy Orchestrator 5.9 and later (Sadly no Enterprise runs 5.9 ;-)

* Endpoint Security 10.2 and later

* File and Removable Media Protection 5.0.4 and later

* Host IPS 8.0 Patches 4, 7, 9, 10

* McAfee Active Response 1.1 and later

* McAfee Agent 4.8 Patch 3 and later

* McAfee Application Control 6.2.0 and later

* McAfee Client Proxy 1.2 and later

* MOVE 4.5 and later

* Native Encryption (MNE) 4.0 and later

* SiteAdvisor Enterprise 3.5 Patch 5 and later

* System Information Reporter (SIR) 1.0.1 and later

* Threat Intelligence Exchange (TIE) Client for VSE 1.0.2 and later

* VirusScan Enterprise 8.8 Patches 4, 8, 9, and 10

* VirusScan Enterprise for Storage 1.2 and later

Intel/Migration Mcafee EPO VSE 8.8 auf Endpoint 10.X First Look and Tips

Migration Mcafee VSE 8.8 auf Endpoint 10.X Migration First Look

Put together by Butsch from all the presentation online, Channel presentations and first lab dives with 10.X

 

Current Release is Mcafee Endpoint Security 10.2

Most of the things we be cleaner (Some things will be merged)

HIPS

 

As example 4 OLD VSE 8.8 POLICY Merged in 1 "ON ACCESS SCAN Policy"

New here:

 

NEU: Workstation und Server NICHT mehr möglich in gleicher Policy (Dropdown)

 

  1. Migration Workstation Automatic
  2. After that, the Servers MANUALLY )OR both manually)
  3. You will have to separate "Workstation" and "Server" in the GUI under an OU (I hope you anyway doo above 100+ endpoints!) (Or use TAG for Policies)

NEW: You will have do a separate POLICY for "Workstation" and "Servers"

Some does not work anymore: Exclusion alt **\WILDCARDS ohne DRIVE LETTER > GEHT nicht mehr in EPS 10.X

There is a Remark in Migration Wizard who will tell you again!

 

What you need before you think to start

 

  • Basis fuer Update für bestehende Umgebungen
  • Base your nee das existing customer running EPO

There is a special Migration Help tool which you can install

You can select which Policy's to migrate and change Policy's during Migration

 

 

Quiz Questions from Butsch

 

When can i do what?

Is there any risk for my environment?

Is the Migration safe?

Before the 10.1 PACKAGE is deployed NOTHING will happen to the CLIENTS. You can migrate POLICYS BEFORE and THAN at the end deploy the VSE 10.

As soon as YOU deploy the VSE 10.1 package the Migration CLIENT side begins. As with a regular PATCH 8 for VSE or 7.5 to 8 migrations you TEST DEPLOY

a few client s for a week or days and THEN you can deploy (Migrate) the other clients. All other clients will KEEEP pulling the VSE 8.x POLICYS.

$

 

Question: We just want Virus Protection; we don't want HIPS or Site Advisor because we have other clients like Fort client or Windows Firewall.

  • There are still 3 parts and modules
  • You can DEPLOY them with separate Deployment Jobs
  • Only what you deploy of that gets on the client and like with other endpoints you don't have 75% Parts of the clients which you don't use because integrated with other brands already

 

 

 

 

 

 

 

See more Infos:

https://www.youtube.com/watch?v=H4vUFnhaHro

https://community.mcafee.com/docs/DOC-8364

https://community.mcafee.com/docs/DOC-8364#jive_content_id_VIDEO__Migrating_from_McAfee_VirusScan_Enterprise_88_to_McAfee_Endpoint_Security

 

Live Ransomware samples Subject, Sender August/July 2016 Switzerland

An overview what Swiss hospitals get in these days?

If you still don't get it and understand how critical this point is:

  • Budget is NOT the limit to use an attachment Analyze sandbox or not.
  • Modern version of Cerber SPREAD through Share Credentials from Microsoft Windows and jump to all clients. A customer with 13'000 clients was infected in Asia in a few hours.
  • If you are above 100+ employees or if you think your business is important BUY a Sandbox for Mail Analyze and use Mcafee TIE/ATD for Files.
  • If you are too small > No solution. Do not accept attachment anymore! The step to take all Mail Flow and Exchange to the cloud will not help you! Spend massive money in security or take the risk that you close your business once because of Ransomware

http://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/505845/ (June 2016)

Updated: Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted.

Steven Toole, a researcher for the cloud-security firm Avanan, blogged that his company saw the first attack roll in at 6:44 a.m. on June 22 and that at least 57 percent of all Office 365 customers on Avanan's platform received at least one phishing attempt that contained the infected attachment and Avanan extrapolated that the same number of all Office 365 users were involved. While Avanan did not supply a specific number of those possibly hit, Microsoft reported in its first quarter 2016 earnings report that there are 18.2 million Office 365 subscribers.

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/200216-Ransomware-Locky-Trojan-Germany-high-infection-rates.aspx

https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html

 

The malware was sent from THOSE company's listed. The sender address where spoofed/Forged.

Date

Time

Client

Message

From

27.07.2016

04:44:34

mx2.ait.ac.at [62.218.164.132]

The file Alphabet Incorporation.docx is infected with MSWord/Phishing.C97F!phish.

anja.koengeter@ait.ac.at

16.08.2016

13:44:58

[62.152.169.139]

The file dhl_bestellung.docx is infected with JS/Nemucod.AAP!tr.dldr.

buro@dhl.com

20.07.2016

13:40:36

mo4-p03-ob.smtp.rzone.de [81.169.146.172]

The file Paketnummer0221036778.zip is infected with JS/Ransom.AP!tr.

c.zaehringer@microtracer.de

16.08.2016

13:31:43

fysiohoevensevld.demon.nl [80.100.200.39]

The file dhl_rechnung.docx is infected with JS/Nemucod.AAP!tr.dldr.

donotreply@dhl.com

18.07.2016

17:34:31

host-212-68-196-182.dynamic.voo.be [212.68.196.182]

The file coop.ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:30:10

mail.grosvenor-carpets.co.uk [91.135.7.205]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:20:25

91.98.235.122.pol.ir [91.98.235.122]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:09:24

gw.paph.co.uk [82.33.219.82]

The file coop.ch_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:07:35

[82.79.49.226]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:01:47

gw.paph.co.uk [82.33.219.82]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:54:46

gw.paph.co.uk [82.33.219.82]

The file coop_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:52:15

[82.78.203.146]

The file coop.ch_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:39:59

82-76-211-44.rdsnet.ro [82.76.211.44]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:39:40

gw.paph.co.uk [82.33.219.82]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:07:52

82-76-211-44.rdsnet.ro [82.76.211.44]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

14:45:18

host-48-166-108-91.as10.ldn.uk.sharedband.net [91.108.166.48]

The file coop.ch_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

14:29:21

host-212-68-196-182.dynamic.voo.be [212.68.196.182]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:49:33

91-189-60-54.riz.pl [91.189.60.54]

The file coop_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:36:58

static.imatel.es [91.200.117.76]

The file coop_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:13:35

91-189-60-54.riz.pl [91.189.60.54]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

15.08.2016

15:41:43

static-84-42-159-115.net.upcbroadband.cz [84.42.159.115]

The file bestellung_15_08_2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

15:18:33

[193.85.159.72]

The file rechnung_15_08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

13:19:41

148.63.249.5.rev.vodafone.pt [5.249.63.148]

The file bestellung_15_08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

13:12:11

148.63.249.5.rev.vodafone.pt [5.249.63.148]

The file zahlung_15.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

16.08.2016

12:12:37

fysiohoevensevld.demon.nl [80.100.200.39]

The file Zahlung_DHL.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@dhl.com

24.08.2016

06:39:32

ncr-100-66.primenet.in [203.115.100.66]

The file PRIVATE CASH.zip is infected with W32/Inject.ABHZO!tr.

info@infobitsystem.com

09.08.2016

17:23:43

88.250.40.151.static.ttnet.com.tr [88.250.40.151]

The file zahlung_09.08.2016.docx is infected with Malware_Generic.P0.

info@post.ch

09.08.2016

17:04:24

[88.208.35.108]

The file zahlung_09.08.2016.docx is infected with Malware_Generic.P0.

info@post.ch

09.08.2016

16:57:18

[86.34.227.40]

The file quittung_09.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

16:36:59

80.179.6.66.static.012.net.il [80.179.6.66]

The file zahlung_09.08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

14:51:07

llamentin-656-2-209.w81-248.abo.wanadoo.fr [81.248.1.209]

The file zahlung.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

16:08:59

comox.a-enterprise.ch [62.12.150.213]

The file rechnung 09_Aug.docm is infected with WM/Obfuscated.V!tr.

m12e@bluewin.ch

09.08.2016

15:46:01

zhhdzmsp-smtp14.bluewin.ch [195.186.136.32]

The file rechnung 09_Aug.docm is infected with WM/Obfuscated.V!tr.

migrol.stans@bluewin.ch

19.07.2016

14:45:56

[189.126.194.34]

The file migros_rechnung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:39:17

fysiohoevensevld.demon.nl [80.100.200.39]

The file migros_zahlung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:37:47

[181.49.220.34]

The file migros_quittung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:25:22

[181.49.220.34]

The file migros_quittung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

13:47:29

[181.49.220.34]

The file migros_bestellung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

20.07.2016

17:30:54

mail.ofekltd.co.il [81.218.132.237]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

noreply@paypal.com

20.07.2016

16:23:30

mail.ofekltd.co.il [81.218.132.237]

The file paypal_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

noreply@paypal.com

28.07.2016

15:58:43

ms1.webland.ch [92.43.217.101]

The file copier@asa-spitaeler.ch_20160720076718.docm is infected with WM/Agent.BJC!tr.dldr.

no-reply=23=copier@asa-spitaeler.ch

16.08.2016

15:38:36

fysiohoevensevld.demon.nl [80.100.200.39]

The file dhl_packet_16.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

paket@dhl.com

16.08.2016

13:14:02

[62.152.169.139]

The file dhl_packet_16_08_2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

reply@dhl.com

27.07.2016

14:00:52

expertno-analit-zentr.ch.govorit.ru [89.221.61.75]

The file Paypal_Zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.ch

27.07.2016

13:53:50

expertno-analit-zentr.ch.govorit.ru [89.221.61.75]

The file Paypal_Zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.ch

20.07.2016

16:12:32

host81-137-222-56.in-addr.btopenworld.com [81.137.222.56]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

15:54:40

cpc87465-finc19-2-0-cust332.4-2.cable.virginm.net [82.17.37.77]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

15:20:16

cpc87465-finc19-2-0-cust332.4-2.cable.virginm.net [82.17.37.77]

The file paypal_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

14:41:39

lmontsouris-657-1-208-29.w80-11.abo.wanadoo.fr [80.11.48.29]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

21.07.2016

16:38:27

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

16:04:30

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

16:01:00

82-137-118-134.ip.btc-net.bg [82.137.118.134]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:58:54

host81-133-60-254.in-addr.btopenworld.com [81.133.60.254]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:34:28

82-137-118-134.ip.btc-net.bg [82.137.118.134]

The file zurich.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:08:05

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

14:13:25

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:28:41

mail.aretilaw.com [81.4.136.98]

The file zurich.com_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:16:01

mail.aretilaw.com [81.4.136.98]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:04:58

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:00:48

host81-133-60-254.in-addr.btopenworld.com [81.133.60.254]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

26.07.2016

11:36:01

lputeaux-657-1-16-200.w90-63.abo.wanadoo.fr [90.63.199.200]

The file viagogo.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

ticketalerts@info.viagogo.com

20.07.2016

13:17:02

[81.28.170.24]

The file zoo.ch_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

zoo@zoo.ch

20.07.2016

12:54:45

[81.28.170.24]

The file zoo.ch_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

zoo@zoo.ch

Ransomware: High rate dropbox attack Switzerland 24-25.08.2016 to Healthcare

MalwareFortiguard: JS/Nemucod.ARH!tr

We have seen a high rate of 50-100 Attachments per customer with correct E-Mail address with Ransomware sent out from:

no-reply@dropbox.com

Fortiguard and Mcafee did find it around 12:30 to clock 24.08.2016 BUT not before.

The URL's which were listed in the E-Mail content where listed at that time. The E-Mail contains a Link

From a Commerzbank hosted on a Dropbox account.

Second wave contains an attachment rechnung.zip

 

Raw Log from Fortimail

2850,"2016-08-24","12:38:53","Virus Signature","Reject",,"no-reply@dropbox.com","customer01@butsch.ch","Ihre Mahnung vom 23.08.2016","u7OAcqI9021476-u7OAcqIB021476","f3.81.b6.static.xlhost.com [207.182.129.243]","192.168.1.5",17405,"in","mta","0:3:3","butsch.ch","JS/Nemucod.ARH!tr","OK","0200021477",,"statistics"    

2855,"2016-08-24","12:35:31","Grey List","Delay",,"no-reply@dropbox.com","customer01@butsch.ch",,"u7OAZU4S021464-u7OAZU4U021464","133-53-143-63.static.reverse.lstn.net [63.143.53.133]","192.168.1.5",0,"in","mta","0:3:3","butsch.ch",,"FORGED","0200021465",,"statistics"    

"2856,""2016-08-24"",""12:34:24"",""FortiGuard AntiSpam-IP"",""Reject"",,""no-reply@dropbox.com"",""customer01@butsch.ch"",""=?windows-1251?B?RGVubmlzIExlbmcgaGF0IGRpZSBTYW1tbHVu?=    =?windows-1251?B?ZyCEUmVjaG51bmcuemlwkyBmdXIgU2llIGZy?=    =?windows-1251?B?ZWlnZWdlYmVuLg==?="",""u7OAYNrr021457-u7OAYNrt021457"",""6-219-63-74.static.reverse.lstn.net [74.63.219.6]"",""192.168.1.5"",6997,""in"",""mta"",""0:3:3"",""butsch.ch"",,""FORGED"",""0200021458"",,""statistics"""    

2857,"2016-08-24","12:34:09","Grey List","Delay",,"no-reply@dropbox.com","customer01@butsch.ch",,"u7OAY8wv021455-u7OAY8wx021455","131-53-143-63.static.reverse.lstn.net [63.143.53.131]","192.168.1.5",0,"in","mta","0:3:3","butsch.ch",,"FORGED","0200021456",,"statistics"    

"2859,""2016-08-24"",""12:33:14"",""Not Spam"",""Accept"",,""no-reply@dropbox.com"",""customer01@butsch.ch"",""=?windows-1251?B?V2lsbGlhbSBCZXJyeSBoYXQgZGllIFNhbW1s?=    =?windows-1251?B?dW5nIIRSZWNobnVuZy56aXCTIGZ1ciBTaWUg?=    =?windows-1251?B?ZnJlaWdlZ2ViZW4u?="",""u7OAXC7Y021443-u7OAXC7c021443"",""f5.81.b6.static.xlhost.com [207.182.129.245]"",""192.168.1.5"",7035,""in"",""mta"",""0:3:3"",""butsch.ch"",,""OK"",""0200021444"",,""statistics"""    

Mcafee/TIE: Definition 424 solves c:\Windows\assembly false/Positive detection

http://www.mcafee.com/us/resources/release-notes/threat-intelligence-exchange/tie-03-14-2016.pdf

https://community.mcafee.com/thread/88126

https://community.mcafee.com/thread/88837

 

The problem with the c:\Windows\assembly\Nativeimages seemed to be solved by update 424. These are Framework

Files Executables which are compiled in real time first usage. We have only seen that as example on Exchange CAS Servers before.

They time the first user logs onto OWA after an MSP Patch has that delay once. We had up to 6'000 Files per W7 client before that patch new

During March 2016 Patchday.

 

   

Rule 139 - Identify trusted DOT Net assemblies

 

Description:

 

This rule detects files that have CLR code (DOT Net) and have been installed into the global

Assembly cache folders. The files are present on multiple machines within the enterprise,

Indicating they are not just-in-time compiled assemblies.

 

Default State: Mandatory

 

Changes in this release

Changed how age and prevalence are handled in DOT Net validation algorithm 

   

 

Also there is a heavy update for Ransomware detection.

Rule 240 - Identify suspicious files with characteristics that have been predominantly seen in

Ransomware

 

Description:

 

Identify suspicious files with characteristics that have been predominantly seen in

ransomware, are in uncommonly used locations and less than 7 days old

 

Default State: Evaluate