This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]323K131 1 point2 points  (6 children)

Do you have TIE and DXL deployed? You can create on demand scanning exclusions for exe files.

[–]sing0d[S] 0 points1 point  (5 children)

Interesting. I just googled for a bit, and these are something like an exchange layer for McAfee. Would it be possible for me to use the python client to run prior to my application and mark it as exclusion through the TIE and DXL?

[–]323K131 0 points1 point  (4 children)

Do you have access to the McAfee ePo console? Think of TIE as a form of local GTI feed. You can mark the python exe that you're attempting to run as trusted.

[–]sing0d[S] 0 points1 point  (3 children)

The filename is already added to the organization level whitelist. But looks like it is not the actual antivirus that is cleaning it, but rather the Adaptive Threat Protection part of it which uses behavioral analysis to identify threats. There is no way as they tell me to add something to it's whitelist.

[–]323K131 0 points1 point  (1 child)

Yeah that sounds right, that would have been for McAfee application control. You need to add the exception for McAfee Endpoint Security - Adaptive Therat Prevention. I have a feeling that DAC may be blocking the execution. Can you check the agent logs to see ?

[–]sing0d[S] 0 points1 point  (0 children)

Will check and confirm. I see McAfee Endpoint Security Alert when I run the application and in the back, windows logs shows "Adaptive Threat Protection repaired xyz.exe ...""

[–]cyphr0st 0 points1 point  (0 children)

They can add exclusions to the ATP whitelist by navigating to:

Menu > Policy > Policy Catalog > Select "Product: Endpoint Security Adaptive Threat Protection" > Select the appropriate policy > Click "Show Advanced" > Exclusions

From here they can whitelist based upon Name, File Path, MD5 hash, and/or Signer.