Re: AntiExploit blocking Chrome and Edge

PCTI · ‎2021-10-26

Hello.

I am having problems in one client because Harmony Endpoint is blocking Chrome and Edge with no special reason.

I get alert that Anti-Exploit block threat, but i dont find anything that might cause this.

Endpoint version - 85.10.0575

More info in attach

Regards

Pedro

Chris_Atkinson · ‎2021-10-26

Please follow-up with TAC regarding a permanent solution, in the interim see sk154455.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Tobias_Karsbo · ‎2021-10-26

Same for us:

Chrome yesterday for some users, Edge today.

Id: c20e8565-81a0-5410-6177-efad27a60000
Sequencenum: 1
Product Family: Endpoint
Event Type: Forensics Case Analysis

Severity: High
Description: To exclude: Open the Harmony Endpoint Management -> policy -> Threat Prevention -> EXCLUSION CENTER -> Exclusion Settings -> Web and Files Protection -> Threat Emulation... -> + -> SHA1 -> paste this: d3d8253e-3bd458aa-19968b0c-312c774d-26baef79 Attack status: Cleaned.
Client Name: Check Point Endpoint Security Client
Product Version: 85.40.2076
Installed Blades: Firewall; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation

Forensics Analysis: 457ab508-d779-4aa7-8720-89b8c60b407a
Triggered By: Endpoint Anti-Exploit
Attack Status: Cleaned
Protection Name: Gen.Exploiter.ROP
Protection Type: Generic
Malware Action: a ROP virtual memory allocation exploit
File Name: msedge.exe
File MD5: fda107354688b32939d7f3e4e286c069
File Type: exe
File Size: 8631461295071690752
File SHA-1: d3d8253e3bd458aa19968b0c312c774d26baef79
File SHA-256:
Confidence Level: High
Policy Name: Default Forensics settings
Policy Date: 2021-09-24T08:32:23Z
Policy Version: 18
Remediated Files: msedge.exe(Terminated before), msedge.exe(Terminated before), (Terminated before), msedge.exe(Terminated before), msedge.exe(Terminated before), msedge.exe(Terminated before), msedge.exe(Terminated before), (Terminated before)
Impacted Files:
Suspicious Events: Exploitation for Client Execution: msedge.exe; Drive-by Compromise: msedge.exe; User Execution: msedge.exe;
Incident Details: msedge.exe(fda107354688b32939d7f3e4e286c069);
General Information:
Service Domain: ep-demo
Action: Prevent
Packet Capture: Packet Capture
Type: Log
Blade: Forensics
Lastupdatetime: 1635250093000
Lastupdateseqnum: 1
Stored: true
Description: To exclude: Open the Harmony Endpoint Management -> policy -> Threat Prevention -> EXCLUSION CENTER -> Exclusion Settings -> Web and Files Protection -> Threat Emulation... -> + -> SHA1 -> paste this: xxxxxxxxxxxxxxxxxxxxxxxxx Attack status: Cleaned.

tom_allen · ‎2021-10-26

Where can I see that SK? Anyone else have a solution?

tom_allen · ‎2021-10-26

Nevermind, I found the SK but I would rather have a solution.

Chris_Atkinson · ‎2021-11-01

Hi Tom,

The fix is included in E86.00 available now from sk175945.

MikeB · ‎2021-10-26

Same Issue with 4 endpoints, all with E85.40 version.

chrome.exe and msedge.exe affected.

Malware action: a ROP virtual memory allocation exploit

Protection Name: Gen.Exploiter.ROP

tom_allen · ‎2021-10-26

Yes got a reply from Tech Support, know issue and the workaround is to add an exclusion.

PCTI · ‎2021-10-27

I have updated to 85.40 with no sucess.

Chris_Atkinson · ‎2021-10-27

Per above a workaround is currently required until a permanent fix is made available (E86.00).

Pedro_Marques · ‎2021-10-28

Also have the same problem ... had to apply the workarround 😞

AntiExploit blocking Chrome and Edge

script to delete files

Uninstall Endpoint / Cleanup

VPN MFA Google Authenticator

Harmony Endpoint - Linux (Ubuntu)

Change IP address Endpoint Management Server