This issue should be resolved with the ENS 10.7.0 November 2020 Update.
Troubleshooting:
If you continue to see unexpected growth in the size of the folder:
- Enable ENS debug logging on the affected system.
- Run an AMTrace and Process Monitor for a few minutes while the size of the folder is increasing. For instructions, see KB86691 - Minimum data collection steps for Endpoint Security issues.
- Run the following command from the CLI on the affected system:
dir \$mfedeeprem\ /s >> c:\temp\deeprem.txt
- Immediately run a Minimum Escalation Requirements (MER). Once complete, provide the deeprem.txt file (zipped if large), AMTrace log, and Process Monitor log to Technical Support.
Background:
- If Enhanced Remediation starts for a process, and no detection by an ATP scanner occurs within 10 minutes, monitoring stops for that process and the mfedeeprem DLL is uninjected. The session details in $mfedeeprem\current_sessions\ are moved to $mfedeeprem\terminated_sessions\.
- Every five minutes of system uptime, the entire contents of $mfedeeprem\terminated_sessions\ are archived to $mfedeeprem\archived_sessions\.
- Any archived sessions that become older than 30 days are automatically deleted.
- To trigger immediate archive of the terminated sessions folder at any time, disable and re-enable ATP.
Testing:
To confirm that Enhanced Remediation is working, run the following commands from the CLI on a test system:
copy c:\windows\system32\calc.exe c:\temp\not_calc.exe
echo "test" >> c:\temp\not_calc.exe
start c:\temp\not_calc.exe
The modified
calc.exe starts, but now with an unknown reputation. You should see a new session GUID created under
\current_sessions\ and the
EnhancedRemediation_Debug log should have entries with the session ID and other details associated with the monitoring of
not_calc.exe.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
