在 ENS 威胁防护产品安装或漏洞利用防护内容更新期间,Windows Defender 可能会错误地将漏洞利用防护内容文件
HIPHandlers.dll或
HIPHandlers64.dll 检测为恶意文件并将其删除。 检测名称为
HackTool:Win32/Mimikatz! 在 ENS 威胁防护安装的上下文中,此检测可能会导致安装失败。
如果在漏洞利用防护内容更新期间出现问题,则 Windows 事件日志会包含类似于以下示例的 Windows Defender 事件:
Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/Mimikatz.PTT&threatid=2147735582&enterprise=1
Name: HackTool:Win32/Mimikatz.PTT
ID: 2147735582
Severity: High
Category: Tool
Path: file:_C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190705_09419_ENDP_AM_1000\agent-windows\HIPHandlers.dll
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User:
Process Name: C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe
Action: Not Applicable
Action Status: No additional actions required
Error Code: 0x00000000
Security intelligence Version: AV: 1.293.2643.0, AS: 1.293.2643.0, NIS: 1.293.2643.0
Engine Version: AM: 1.1.16000.6, NIS: 1.1.16000.6
如果在 ENS 威胁防护安装期间出现问题,则文件
McAfee_ThreatPrevention_Install.log会包含以下日志记录:
11:32:12:589 - Copy file succeededed for HIPHandlers64.dat
11:32:22:672 - Copy failed for HIPHandlers64.dll: 225
11:32:22:672 - Copy source path : C:\Users\ADMINI~1\AppData\Local\Temp\\HIPHandlers64.dll
11:32:22:672 - Copy destination path : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\IPS\HIPHandlers64.dll
11:32:22:834 - Copy file succeededed for Signatures_8.xml
11:32:22:848 - Copy file succeededed for ips_hooking_whitelist_8.xml
11:32:22:855 - Copy file succeededed for ENS_AP_Rules.dat
11:32:22:855 - Copy file succeededed for Hiphandlers.dat
11:32:22:895 - Copy file succeededed for HIPHandlers.dll
11:32:22:895 - McAfee CustomAction : End CopyBOPBinaries
CustomAction CopyBOPBinaries.B0543E55_ECD7_4CB6_89C0_A49DF5349B0E returned actual error code 1603(注意:如果在沙盒中进行转换,则此代码可能不是 100% 准确)
MSI (s) (00:9C) [11:32:22:926]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (00:9C) [11:32:22:926]: User policy value 'DisableRollback' is 0
MSI (s) (00:9C) [11:32:22:926]: Machine policy value 'DisableRollback' is 0
Action ended 11:32:22: InstallFinalize. Return value 3.
注意:错误 225 表示
ERROR_VIRUS_INFECTED 的失败原因。
