Windows Defender detects Endpoint Security HipHandlers.dll
Last Modified: 2023-03-15 12:27:43 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Windows Defender detects Endpoint Security HipHandlers.dll
Technical Articles ID:
KB93976
Last Modified: 2023-03-15 12:27:43 Etc/GMT Environment
Endpoint Security (ENS) Threat Prevention 10.x Microsoft Windows 10 Microsoft Windows Defender Problem
During a product installation of ENS Threat Prevention, or an Exploit Prevention content update, Windows Defender might incorrectly detect and delete the Exploit Prevention content file If the issue occurs during an Exploit Prevention content update, the Windows Event Log contains a Windows Defender event similar to the example below: For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/Mimikatz.PTT&threatid=2147735582&enterprise=1 Name: HackTool:Win32/Mimikatz.PTT ID: 2147735582 Severity: High Category: Tool Path: file:_C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190705_09419_ENDP_AM_1000\agent-windows\HIPHandlers.dll Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: Process Name: C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe Action: Not Applicable Action Status: No additional actions required Error Code: 0x00000000 Security intelligence Version: AV: 1.293.2643.0, AS: 1.293.2643.0, NIS: 1.293.2643.0 Engine Version: AM: 1.1.16000.6, NIS: 1.1.16000.6 If the issue occurs during an ENS Threat Prevention installation, the file 11:32:22:672 - Copy failed for HIPHandlers64.dll: 225 11:32:22:672 - Copy source path : C:\Users\ADMINI~1\AppData\Local\Temp\\HIPHandlers64.dll 11:32:22:672 - Copy destination path : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\IPS\HIPHandlers64.dll 11:32:22:834 - Copy file succeededed for Signatures_8.xml 11:32:22:848 - Copy file succeededed for ips_hooking_whitelist_8.xml 11:32:22:855 - Copy file succeededed for ENS_AP_Rules.dat 11:32:22:855 - Copy file succeededed for Hiphandlers.dat 11:32:22:895 - Copy file succeededed for HIPHandlers.dll 11:32:22:895 - McAfee CustomAction : End CopyBOPBinaries CustomAction CopyBOPBinaries.B0543E55_ECD7_4CB6_89C0_A49DF5349B0E returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (00:9C) [11:32:22:926]: Note: 1: 2265 2: 3: -2147287035 MSI (s) (00:9C) [11:32:22:926]: User policy value 'DisableRollback' is 0 MSI (s) (00:9C) [11:32:22:926]: Machine policy value 'DisableRollback' is 0 Action ended 11:32:22: InstallFinalize. Return value 3. NOTE: Error 225 indicates a failure reason of Cause
Windows Defender has a false positive in older versions of their virus definitions, which results in the detection of these files.
Solution
You must update the Windows Defender security intelligence content version to the latest version available from Microsoft. There are several ways to deploy the latest version, depending on your enterprise architecture and the scope of impacted systems. To clear the current cache and trigger an update, use the following commands as an administrator: MpCmdRun.exe -removedefinitions -dynamicsignatures MpCmdRun.exe -SignatureUpdate For more information about the update and how to deploy it, see this Defender update article. Affected ProductsLanguages:This article is available in the following languages: |
|