cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About acarpenter

McAfee blocking population of Systems Manager data on Windows

by in Mobile Device Management
2 weeks ago
2 weeks ago
Have noticed recently that newly added Windows devices aren't getting most of their data populated in the dashboard, and the problem went away as soon as I uninstalled McAfee Endpoint Security from the client device.  I guess I need to add some exclusions to McAfee to allow the data to be collected, but what should I add?  Is it just the contents of "C:\Program Files\Meraki\" and subfolders, or does it run scripts or files from other locations?   Here's what's installed: Endpoint Security Threat Prevention 10.7.0.3299 Endpoint Security Common 10.7.0.3255 Endpoint Security Web Control 10.7.0.2581 Endpoint Security Adaptive Threat Protection 10.7.0.3437 McAfee Agent 5.7.6.251 Checking the ePolicy Orchestrator server I'm not seeing any threat events for that device.   Edit: Found the following entries in ExploitPrevention_Debug.log   <Event> <!-- Level=High, Reaction=Prevent --> <EventData SignatureID="6106" SignatureName="" SeverityLevel="4" Reaction="3" ContentVersion="8.0.0.12138" ContentCreateDate="22 March 2022" ProcessUserName="NT AUTHORITY\SYSTEM" Process="C:\WINDOWS\SYSTEM32\CSCRIPT.EXE" IncidentTime="2022-05-03 12:04:25" AllowEx="False" SigRuleClass="Illegal_API_Use" ProcessId="6028" ProcessCreateTime="2022-05-03 11:04:24.8191905" Session="0" SigRuleDirective="bad_parameter"/> <Params> <Param name="Workstation Name" allowex="True">LAP-HP-8981</Param> <Param name="Subject Distinguished Name" allowex="False">C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS</Param> <Param name="Is Trusted Subject Distinguished Name" allowex="False">true</Param> <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param> <Param name="Executable Description" allowex="False">MICROSOFT ® CONSOLE BASED SCRIPT HOST</Param> <Param name="Executable Fingerprint" allowex="False">24590bf74bbbbfd7d7ac070f4e3c44fd</Param> <Param name="Parent Executable Path" allowex="False">C:\PROGRAM FILES\MERAKI\SYSTEMS MANAGER AGENT 3.1.3\M_AGENT_SERVICE.EXE</Param> <Param name="Parent Executable Description" allowex="False">SYSTEMS MANAGER AGENT</Param> <Param name="Parent Executable Fingerprint" allowex="False">a67a0f467a8af6df8f7d510f4528349e</Param> <Param name="API Name" allowex="True">GetVersionExA</Param> <Param name="Detailed Event Info" allowex="True">C:\Windows\system32\cscript.exe //E:vbscript //Nologo &quot;C:\ProgramData\Meraki\Systems Manager Agent\Temp\m_aA674.tmp&quot;</Param> <Param name="Vulnerability Name" allowex="True">T1552 - Windows Script Command Restriction - Use Engine</Param> </Params> </Event>   So it looks like McAfee Exploit Prevention is blocking the call to cscript.exe which is being used to run some vbscript files from the ProgramData folder.  I'm not surprised McAfee is blocking this, I'm more surprised that other AV vendors aren't! ... View more
Labels:
© 2022 Meraki