Mcafee Endpoint Security ENS 10.6 Release news

 

Mcafee Endpoint Security ENS 10.6 Release news

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27781/en_US/ens_1060_rn_ePOCloud_0-00_en-us.pdf

 

Mcafee 10.6 now supports Microsoft Anti Malware Scan Interface (AMSI) which was recommended to be used since 2016. API from Microsoft where always source for discussion and sometimes False/Positive and with all antivirus developers this was always a point where Microsoft and the producers seem to have different views. This regarding to Virus API, Backup or Snapshots API as you all know from Backup Software or VSSAPI (row order) story's.

2016 AMSI at Blackhat

https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf

2018 AMSI Developer related and what it has done and not regarding Powershell

https://www.blackhat.com/docs/asia-18/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf

 

Here is the AMSI Option in the "ON ACCESS Rule". By default this is only in reporting mode.

There are some File less Powershell Exploits that AMSI can't capture (as mentioned in the Blackhat 2016 PDF link below) but some of those are separate captured by ENS with the Exploit IPS Module that is included in ENS since 10.X. 10.6 also brings a new rule to capture Doppelgänger Exploits.

Sample on of the IPS Rules which ENS would capture (Mentioned in 2018 Blackhat analyze) > NON AMSI

 

Update from 10.X to 10.6

Regarding update from 10.5.4 to 10.6 this should be seamless. There are certain cases if you have the additional ATP/TIE Module active where it can get stalled. Mcafee released a special package for that's case. We assume in those Ransomware days all are on latest release or at least 10.5.3 when not 10.5.4 before they upgrade.

Here is the ATP-Module Update stall described when you Update to 10.6 (If you don't have TIE or DAC you don't have this module)

 

https://kc.mcafee.com/corporate/index?page=content&id=KB90664

EPO Management and packages of 10.6

From EPO management this update after all the Patch and Actual/Previous/Eval rep. mess with 10.X this looks very clean. There is just ONE bundle you need and after that you can Upgrade the "Endpoint Migration assistant" to check your environment and if you can update seamless. You should however Reboot/Restart the client as recommended in the Release Notes.

Screenshot: This is all EPO show under "ENS 10.6"

Extract from:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27781/en_US/ens_1060_rn_ePOCloud_0-00_en-us.pdf

2018 McAfee Agent, Framework, EPO Firewall Ports

It's improtant to understand that the McAfee Agent itself DOES OPEN all needed OS Windows Firewall Ports for you automatic. You can see those under "macmnsvc".

 

But it's Important to keep track of physical Firewall Ports and if you separate Clients or Server from the EPO with a Perimeter Firewall or VLAN-Firewall.

McAfee Agent:

This is the Software which does manage all McAfee Products on a Client (Just some Deployment and manage Service called McAfee Agent Framework)

 

 

Mcafee EPO-Server:

 

Assuming you have a local McAfee EPO Server 5.X with a local SQL Express or Full Version on the EPO itself.

 

Why local?

 

Because in an outbreak scenario the network may get flooded with packets it's recommanded you

keep the DB local where the EPO Server runs. If Malware attacks your SQL DB Servers and the McAfee

Should protect it this is an "Chicken-egg-story". By the way McAfee has special DB protection

Software for DB Servers you can't patch.

 

 

https://kc.mcafee.com/corporate/index?page=content&id=KB66797

SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

File system inconsistency - cannot run fsck

  • The console hangs at Press F2 with white Screen you can't logon or ping the machine
  • You can't connect with SSH
  • You can't acces the machine on port 4444
  • You DID not move the machine (COPY) NORE did you change something with NIC or MAC
  • You prob. had a crash on the ESXi, the storage or Disk system itself
  • You assume that Linux file system are robust and think they can't crash (Look like not…)

If you try the Rescue boot Option you should LOGON ONLY with root. However you are Windows User and always logon with admin and password through web console on port 4444. I am absolute sure there is Documentation on this and if you have Setup and read the Manual like Sophos wants you > Then you have that password.

Here is how to repair the File System with absolute almost no TUX knowledge and without having the root password! (Kind of strange but well you need physical access or console Access) so…

Error

Reboot the UTM machine in ESXi-console

Press ESC

Type "e" on keyboard once (Nothing else)

Choose the options which looks like this (similar)

If you are in the ESXi-CONSOLE end following to the command which is displayed now (At the end of existing command). Just behind the *******silent

init=/bin/bash

If you search CHARS on non us-keyboard:

On GERMAN OR SWISS GERMAN the = is right under the F10 keyboard on NON US-keyboard layouts! The "/" on the 10 numeric block.

PRESS "ENTER"

PRESS "b" to load the modified boot Setting

When the System stops it will stay at CLI now

Run cli command

"Fsck /dev/sda6"

or whever you corrupt file system is (It will show you in the errors as sample below)

On every question he will ask answer "y"

Comment Windows Senior System Engineer > Nobody understands what it says. Not even the guy who coded it we guess….

Reboot the System with CTRL-ALT-DEL from ESXi (Send command)

Here is how to reset Sophos passwords. We ONLY used step 1-10 for the repair of File System.

https://community.sophos.com/kb/en-us/115346#How%20to%20reset%20all%20passwords

 

 

 

 

KB4103727 RDP client/Server not patched workaround

CredSSP updates for CVE-2018-0886

 

If you currently can't logon to RDP and you have no timeline to patch both sides there is a workaround.

Notice that this does reopen the exploit in RDP. There is also a GPO which you can use to set central.

The workaround is a better solution that letting people update direct from Microsoft and bypassing internal

Patch structure like WSUS-Server. At the end customers get patches which they SHOULD not because some third party software in incompatible.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2

 

https://blogs.technet.microsoft.com/askpfeplat/2018/05/07/credssp-rdp-and-raven/

https://support.microsoft.com/en-my/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Here is the FLOW this was integrated by Microsoft over months. Now if you or your server team did not install

Three months you end up in trouble currently and need the workaround we did mention above.

 

Updates

March 13, 2018

The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to "Force updated clients" or "Mitigated" on client and server computers as soon as possible. These changes will require a reboot of the affected systems.

Pay close attention to Group Policy or registry settings pairs that result in "Blocked" interactions between clients and servers in the compatibility table later in this article.

April 17, 2018

The Remote Desktop Client (RDP) update update in KB 4093120 will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.

May 8, 2018

An update to change the default setting from Vulnerable to Mitigated.

Related Microsoft Knowledge Base numbers are listed in CVE-2018-0886.

By default, after this update is installed, patched clients cannot communicate with unpatched servers.

Windows 10 1709 > 1803: Bitlocker Migration solved direct in setup.exe

Good news concerning Migration from W10 1709 to 1803. The quiz question with Bitlocker enabled client Migration has now been solved.

You can direct in setup.exe of the W10 1803 handle options. You can even try to migrate with Bitlocker enabled IF it fails it will redo with Bitlocker halted (suspended or paused) or turned off.

 

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1803

https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303

https://blogs.technet.microsoft.com/mniehaus/2018/05/02/new-upgrade-to-windows-10-1803-without-suspending-bitlocker/

 

DISM /Online /Initiate-OSUninstall

    – Initiates a OS uninstall to take the computer back to the previous installation of windows.

DISM /Online /Remove-OSUninstall

    – Removes the OS uninstall capability from the computer.

DISM /Online /Get-OSUninstallWindow

    – Displays the number of days after upgrade during which uninstall can be performed.

DISM /Online /Set-OSUninstallWindow

    – Sets the number of days after upgrade during which uninstall can be performed.

 

Setup.exe /BitLocker AlwaysSuspend

    – Always suspend bitlocker during upgrade.

Setup.exe /BitLocker TryKeepActive

    – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.

Setup.exe /BitLocker ForceKeepActive

    – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.

W10 1803, WIN0 1803 Enterprise customers