MECM - rundll32 and Illusion.Jaguar.28.10BA4514.1B.3020200

bolkony

Hi,

We use Microsoft Endpoint Configuration Manager (MECM).

In our Bitdefender Gravity Zone I have enabled "Microsoft Configuration Manager" under "Vendor and product exclusions > Custom".

Last Friday I upgraded our MECM to version 2309.

Since Saturday Bitdefender Gravity Zone has been sending Hyper-Detect-Alerts regarding found malware.

Name of the malware: Illusion.Jaguar.28.10BA4514.1B.3020200

Infected file: rundll32.exe

SHA256 hash: N/A

Command line: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" PolicyAgentProvider.dll,Setup_CheckNamespaces

And:

Command line: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" PolicyAgentEndpoint.dll,Setup_InitializePolicy

Is it necessary to add any "In-policy exclusions"?

(e.g. regarding Configuration Manager folders on clients, like ccmcache, ccm or ccmsetup)

Best regards,

bolkony

Gjoksi

Hello.

Since you need help with business product, @Andrei_S Enterprise (who provides support for business products) could take a look here and help you with the issue.

Also, you can always contact the Bitdefender business support:

https://www.bitdefender.com/business/support/en/71263-85158-contact.html

Regards.

Andrei_S Enterprise

Hello @bolkony ,

We will need a Support Tool and a bdsyslog in order for our Lab team to review the detection.

Based on this we will be able to provide an appropriate solution for your case.

Please open a support case with our Enterprise Support Team and provide the following files:

https://www.bitdefender.com/business/support/en/71263-120873-using-the-bdsyslog-scanning-tool.html#UUID-568901e3-e081-f00a-c24b-6e59e2e444de

https://www.bitdefender.com/business/support/en/71263-120873-using-the-bdsyslog-scanning-tool.html

Kind Regards,