Test-ProxyLogon returns false positives for servers with McAfee VirusScan installed

[VWMike]

Test-ProxyLogon returns false positives for servers with McAfee VirusScan installed

All exchange servers that I have scanned with Test-ProxyLogon that have McAfee Viruscan installed return false positives in the -other.csv file. This occurs on servers with no other IOCs including servers that didn't have port 443 (or any other) port open on the internet.

This is the output:

TYPE System.Management.Automation.PSCustomObject

"ComputerName","Type","Path","Name","LastWrite" "xxxSRVx7","SuspiciousArchive","C:\ProgramData\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FrameworkConfig.zip","FrameworkConfig.zip","22/07/2019 11:57:52" "xxxSRVx7","SuspiciousArchive","C:\ProgramData\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FrameworkInstall.zip","FrameworkInstall.zip","22/07/2019 11:58:20" "xxxSRVx7","SuspiciousArchive","C:\ProgramData\McAfee\Common Framework\Current\VSCANENG1000\Engine\0000\engmin.zip","engmin.zip","02/12/2020 05:20:39" "xxxSRVx7","SuspiciousArchive","C:\ProgramData\McAfee\Common Framework\Current\VSCANENG1000\Engine\0000\engmin64.zip","engmin64.zip","02/12/2020 05:20:37" "xxxSRVx7","SuspiciousArchive","C:\ProgramData\McAfee\Common Framework\data\McAfeeP2P\Current\VSCANENG1000\Engine\0000\0A4285F2DE28C959E978752909B2C55DF5642290_engmin64.zip","0A4285F2DE28C959E978752909B2C55DF5642290_engmin64.zip","28/01/2021 18:00:14" "xxxSRVx7","SuspiciousArchive","C:\ProgramData\McAfee\Common Framework\data\McAfeeP2P\Current\VSCANENG1000\Engine\0000\D840CCD4190BE5BC2681CC291266B079E61F9EB9_engmin64.zip","D840CCD4190BE5BC2681CC291266B079E61F9EB9_engmin64.zip","30/06/2020 19:01:16" "xxxSRVx7","SuspiciousArchive","C:\ProgramData\McAfee\Common Framework\data\McAfeeP2P\Current\VSCANENG1000\Engine\0000\FF0A842F8FA76241EDBE3374148C015922721E32_engmin.zip","FF0A842F8FA76241EDBE3374148C015922721E32_engmin.zip","28/01/2021 18:00:11"

As far as I know - these are all legitimate files created by McAfee AV as part of it's updating processes.

I can't see how these files would have anything to do with Hafnium exploits

Regards, Mike

[bill-long]

This is essentially a duplicate of #145 . The script calls out any zip files it finds in ProgramData. We don't whitelist anything because that opens a door for exploiters to simply name their files whatever we've whitelisted. It's up to the admin to determine if those files should be there or not.

[VWMike]

Thanks for the prompt response.

Apologies for not spotting #145

Is this decision explained anywhere in the blogs about using the Test-ProxyLogon script? I couldn’t see anything to that effect.

Your response describes it perfectly and succinctly – you could put it verbatim in the blog ☺

Regards,

Mike

From: Bill Long @. Sent: 12 March 2021 01:04 To: microsoft/CSS-Exchange @.> Cc: Mike @.>; Author @.> Subject: Re: [microsoft/CSS-Exchange] Test-ProxyLogon returns false positives for servers with McAfee VirusScan installed (#311)

This is essentially a duplicate of #145https://github.com/microsoft/CSS-Exchange/issues/145 . The script calls out any zip files it finds in ProgramData. We don't whitelist anything because that opens a door for exploiters to simply name their files whatever we've whitelisted. It's up to the admin to determine if those files should be there or not.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/microsoft/CSS-Exchange/issues/311#issuecomment-797160135, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ATGD4UQTB6CGVNSODBLHXR3TDFK7FANCNFSM4ZBJHK5Q.

[bill-long]

Not explicitly. The blog post says:

 Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.

The script lists all of those to highlight them for investigation. We could add some text to the readme, or maybe adjust the script output to make that clearer.

[bill-long]

Started a FAQ to address this: https://github.com/microsoft/CSS-Exchange/tree/main/Security#frequently-asked-questions

Thanks!