Endpoint Protection has just identified a key business application as malware. What do you do?
Though Microsoft’s antimalware technologies have one of the lowest false-positive rates in the industry, you should always be ready to address Endpoint Protection false-positive situations if they occur in your environment. There are some basic steps you can take to mitigate and remediate the problem. The case study below presents a hypothetical example of how Kevin, the security administrator at Contoso, addressed a false-positive situation at his company. The summary points are below, followed by the full case study. Note: This document references System Center 2012 Endpoint Protection, but the steps are valid for Forefront Endpoint Protection 2010 as well.
Full Case Study
Sitting down for at his desk in the morning, Kevin’s phone rang. It was Melissa, incensed that the IT Department had removed her key business application, Widget Maker Pro. Kevin assured Melissa that IT had nothing to do with this, but that he’d look into it immediately. Getting off the phone with Melissa to take a look at the issue, Kevin got an email notification from Endpoint Protection indicating a virus outbreak was occurring. Then the helpdesk called, saying multiple users were calling to report Widget Maker Pro gone. Uh oh.
Kevin’s stomach twisted up—no breakfast that day—because it appeared as if malware was removing the company’s most critical line of business application! He opened up the Endpoint Protection reports, and found the malware that was generating the outbreak alert (this information is also available in-console). Looking at the malware details, Kevin saw that it was being effectively cleaned. Then he saw the path and executable name of the malware being quarantined: it was the primary executable for Widget Maker Pro. Endpoint Protection was removing Widget Maker Pro thinking that it was malware! Clicking on the link for this malware in reports, Kevin was able to research this malware through the online encyclopedia, but at this point, nothing had been posted yet.
Kevin knew that a new definition had been released and deployed that morning—as they were every morning at Contoso—and it seemed to be falsely identifying Widget Maker Pro as Virus Foo/32. Kevin had a couple of options at this point: he could temporarily override this threat completely, or he could exclude the path to Widget Maker Pro executable from Endpoint Protection. The override option is good in situations where the real malware can be tolerated if an infection is found before a fixed definition is released. The path-based approach is a good one to use when there are a small number of unique path references across all clients impacted, so variable path exclusions can easily be added to antimalware policy.
In Kevin’s case, a very specific path and file was being affected—“program files\widgetmakerpro\wmpro.exe”—so he added an exclusion for that path and file to his antimalware policies. Also, he could have set an override of Virus_Foo/32 and set it to “allow” temporarily. In either remediation scenario, Kevin was able to get the details he needed from the Endpoint Protection reports (or console).
Now that Kevin had excluded the path from antimalware protection, he had to address the clients where Widget Maker Pro had been quarantined so he could restore it. Kevin had previously configured all of his antimalware policies to have a default action of quarantine, so he knew the files were available for restoration. He’d also prepared a “restore” package and program in advance in case this situation ever came up, so he got that process started.
The program put the quarantined files back into their working directory. The details of Kevin’s rollback and restore programs are:
The program to restore is: Mpcmdrun.exe –Restore -Name <Malware Name>
The startup folder for this binary is: %programfiles%\Microsoft Security Client\Antimalware
Kevin simply updated the command line in the restore program to the threat name of Widget Maker Pro that was being returned (Virus_Foo/32), and deployed that program to the “All Forefront Desktops” collection.
Once the crisis was mitigated, he reported the issue to the Microsoft Malware Protection team, by submitting a sample of the .exe and indicating on the submission that this should not be identified as malware. They researched the issue, fixed the definition causing the problem, and published a fixed definition to Microsoft Update. As with all false-positive submissions, the Malware Protection Center added this file to its clean-file list to make sure no false-positives would occur again for this application.
After they informed Kevin that the issue with the definition had been addressed, he updated his definition source, which brought in the new, fixed definition. Kevin tested the new definition and confirmed it was no longer removing Widget Maker Pro, and then deployed it. Confirming that his clients were all updated with the latest definition through Endpoint Protection reports/console, Kevin removed the exception he’d set in the antimalware policies. A couple of days later, he removed the advertisement of the restore package and program.
One thing Kevin missed in his otherwise excellent response, however, was declining to opt-in to Basic membership for Microsoft Active Protection Service (MAPS) when he configured his Endpoint Protection policies. Opting into MAPS is a simple antimalware policy setting. Had Kevin also opted-in to MAPS, his clients would have received a Signature Disable Notification (SDN) as soon as the Microsoft analysts realized the error. The SDN is something MAPS-enabled clients can pull down when a known false-positive issue with a published signature has been identified by analysts. Opting into MAPS also provides a number of valuable services, including a layer of false-positive protection. If the Malware Protection Center had already seen this problem, and if Kevin had opted into MAPS, this would have been addressed for him automatically, before any false-positive downtime occurred.
There are multiple variations to this scenario, but the key lesson to address false-positives is to be prepared and to have a rollback contingency in place like Kevin did. Follow the summary steps at the beginning of this document, to assure that you are prepared. These are not frequent occurrences, but with the volume of malware that has to be analyzed, this can happen.
Sr. Program Manager
System Center 2012 Configuration Manager & System Center 2012 Endpoint Protection
Comments in this blog are open and monitored for each post for a period of one week after the posting date. If you have a specific question about a blog post that is older than one week, please submit your question via our Twitter handle @MSCloud