- This topic has 2 replies, 3 voices, and was last updated 9 years, 8 months ago by .
-
Posts
-
Hi,
Just wondering if there had been any cases where BatchPatch pushed out a script (.cmd) to target hosts, resulting in McAfee deleting system (Windows) files?
Background:
We created a script (.cmd) to modify a Windows server’s DNS settings (netsh interface ip set dns…) and leveraged BatchPatch to push that out. The odd result was that .sys files (C:windowssystem32drivers) were being quarantined (e.g. intelide.sys, msahci.sys). Undoubtedly, this wreaked havoc and eventually caused the target hosts to become unbootable.
So it seems like the script itself was more the catalyst (rather than the culprit). We’ve raised a ticket with McAfee as well but wanted to see if anyone else has encountered or heard of such a behavior? Where AV software treated a psexec/cmd as a threat and quarantined critical files.
Thank you for reading,
-VY
VY – Thanks for sharing your experience. No one has ever informed us of this kind of behavior. We have heard of AV products treating psexec.exe as a threat in rare instances, but in the worst case the psexec.exe or psexecsvc.exe is prevented from running. We have never heard of any instances where system files were quarantined by an AV product as a result of running a script with psexec. That sounds extremely bizarre, and your decision to open a ticket with McAfee certainly seems like the best place to start. Please report back here after you have it resolved. Let us know what happened.
Thanks,
Doug
Hi folks,
McAfee has a default policy named “access protection”, it may be your problem. By default this AV block outgoing SMTP, starting script from temp folder, and protect system files.
If something was blocked, it should be displayed in the respective logs file of the application on the server itself, right click the policy give you the possibility to display the file.
Regards
Booster
- You must be logged in to reply to this topic.