Meraki

Community

About acarpenter

Re: Why you shouldn't be using 2,4Ghz in your deployments anymore!

by in Wireless
‎Jun 14 2022 2:40 AM
‎Jun 14 2022 2:40 AM
But if you disable that 2.4G then you'll have some devices unable to connect at all (because they don't have 5G) and the rest of them will move to 5G and add even more load to those radios.   I'd rather have both frequencies enabled, and at least the load will be spread between the two. ... View more

McAfee blocking population of Systems Manager data on Windows

by in Mobile Device Management
‎May 3 2022 3:22 AM
‎May 3 2022 3:22 AM
Have noticed recently that newly added Windows devices aren't getting most of their data populated in the dashboard, and the problem went away as soon as I uninstalled McAfee Endpoint Security from the client device.  I guess I need to add some exclusions to McAfee to allow the data to be collected, but what should I add?  Is it just the contents of "C:\Program Files\Meraki\" and subfolders, or does it run scripts or files from other locations?   Here's what's installed: Endpoint Security Threat Prevention 10.7.0.3299 Endpoint Security Common 10.7.0.3255 Endpoint Security Web Control 10.7.0.2581 Endpoint Security Adaptive Threat Protection 10.7.0.3437 McAfee Agent 5.7.6.251 Checking the ePolicy Orchestrator server I'm not seeing any threat events for that device.   Edit: Found the following entries in ExploitPrevention_Debug.log   <Event> <!-- Level=High, Reaction=Prevent --> <EventData SignatureID="6106" SignatureName="" SeverityLevel="4" Reaction="3" ContentVersion="8.0.0.12138" ContentCreateDate="22 March 2022" ProcessUserName="NT AUTHORITY\SYSTEM" Process="C:\WINDOWS\SYSTEM32\CSCRIPT.EXE" IncidentTime="2022-05-03 12:04:25" AllowEx="False" SigRuleClass="Illegal_API_Use" ProcessId="6028" ProcessCreateTime="2022-05-03 11:04:24.8191905" Session="0" SigRuleDirective="bad_parameter"/> <Params> <Param name="Workstation Name" allowex="True">LAP-HP-8981</Param> <Param name="Subject Distinguished Name" allowex="False">C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS</Param> <Param name="Is Trusted Subject Distinguished Name" allowex="False">true</Param> <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param> <Param name="Executable Description" allowex="False">MICROSOFT ® CONSOLE BASED SCRIPT HOST</Param> <Param name="Executable Fingerprint" allowex="False">24590bf74bbbbfd7d7ac070f4e3c44fd</Param> <Param name="Parent Executable Path" allowex="False">C:\PROGRAM FILES\MERAKI\SYSTEMS MANAGER AGENT 3.1.3\M_AGENT_SERVICE.EXE</Param> <Param name="Parent Executable Description" allowex="False">SYSTEMS MANAGER AGENT</Param> <Param name="Parent Executable Fingerprint" allowex="False">a67a0f467a8af6df8f7d510f4528349e</Param> <Param name="API Name" allowex="True">GetVersionExA</Param> <Param name="Detailed Event Info" allowex="True">C:\Windows\system32\cscript.exe //E:vbscript //Nologo &quot;C:\ProgramData\Meraki\Systems Manager Agent\Temp\m_aA674.tmp&quot;</Param> <Param name="Vulnerability Name" allowex="True">T1552 - Windows Script Command Restriction - Use Engine</Param> </Params> </Event>   So it looks like McAfee Exploit Prevention is blocking the call to cscript.exe which is being used to run some vbscript files from the ProgramData folder.  I'm not surprised McAfee is blocking this, I'm more surprised that other AV vendors aren't! ... View more
Labels:
© 2024 Cisco Systems, Inc.