Have noticed recently that newly added Windows devices aren't getting most of their data populated in the dashboard, and the problem went away as soon as I uninstalled McAfee Endpoint Security from the client device. I guess I need to add some exclusions to McAfee to allow the data to be collected, but what should I add? Is it just the contents of "C:\Program Files\Meraki\" and subfolders, or does it run scripts or files from other locations?
Here's what's installed:
- Endpoint Security Threat Prevention 10.7.0.3299
- Endpoint Security Common 10.7.0.3255
- Endpoint Security Web Control 10.7.0.2581
- Endpoint Security Adaptive Threat Protection 10.7.0.3437
- McAfee Agent 5.7.6.251
Checking the ePolicy Orchestrator server I'm not seeing any threat events for that device.
Edit: Found the following entries in ExploitPrevention_Debug.log
<Event> <!-- Level=High, Reaction=Prevent -->
<EventData
SignatureID="6106"
SignatureName=""
SeverityLevel="4"
Reaction="3"
ContentVersion="8.0.0.12138"
ContentCreateDate="22 March 2022"
ProcessUserName="NT AUTHORITY\SYSTEM"
Process="C:\WINDOWS\SYSTEM32\CSCRIPT.EXE"
IncidentTime="2022-05-03 12:04:25"
AllowEx="False"
SigRuleClass="Illegal_API_Use"
ProcessId="6028"
ProcessCreateTime="2022-05-03 11:04:24.8191905"
Session="0"
SigRuleDirective="bad_parameter"/>
<Params>
<Param name="Workstation Name" allowex="True">LAP-HP-8981</Param>
<Param name="Subject Distinguished Name" allowex="False">C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS</Param>
<Param name="Is Trusted Subject Distinguished Name" allowex="False">true</Param>
<Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>
<Param name="Executable Description" allowex="False">MICROSOFT ® CONSOLE BASED SCRIPT HOST</Param>
<Param name="Executable Fingerprint" allowex="False">24590bf74bbbbfd7d7ac070f4e3c44fd</Param>
<Param name="Parent Executable Path" allowex="False">C:\PROGRAM FILES\MERAKI\SYSTEMS MANAGER AGENT 3.1.3\M_AGENT_SERVICE.EXE</Param>
<Param name="Parent Executable Description" allowex="False">SYSTEMS MANAGER AGENT</Param>
<Param name="Parent Executable Fingerprint" allowex="False">a67a0f467a8af6df8f7d510f4528349e</Param>
<Param name="API Name" allowex="True">GetVersionExA</Param>
<Param name="Detailed Event Info" allowex="True">C:\Windows\system32\cscript.exe //E:vbscript //Nologo "C:\ProgramData\Meraki\Systems Manager Agent\Temp\m_aA674.tmp"</Param>
<Param name="Vulnerability Name" allowex="True">T1552 - Windows Script Command Restriction - Use Engine</Param>
</Params>
</Event>
So it looks like McAfee Exploit Prevention is blocking the call to cscript.exe which is being used to run some vbscript files from the ProgramData folder. I'm not surprised McAfee is blocking this, I'm more surprised that other AV vendors aren't!
