ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Windows agent Suspicious Double File Extension Execution antivirus warning

book

Article ID: 103750

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

McAfee Endpoint security may end up blocking some or all of the Automic jobs triggering an unexpected function behavior.
The message given by McAffee is something like:

DOMAIN\USER ran [FULL PATH TO WINDOWS AGENT BIN DIRECOTRY]\UCXJWX6.EXE, which tried to access the file [FULL PATH TO WINDOWS AGENT TEMP DIRECTORY]\JAACGFIV.TXT.BAT, violating the rule "Suspicious Double File Extension Execution", and was blocked.
For information about how to respond to this event, see KB85494.

Cause

This is because as part of execution of jobs, the Automic Windows agent executes a ".txt.bat" file and generates a ".txt" file as report after the job has finished running.
Depending on security settings, this action may be identified as a possible hacker attack method. 

Environment

Release: Automic workload automation 5.00A, 6.00A, 8.00A, 9.00A, 10.x, 11.x, 12.x, 21.0

Resolution

The agent's behavior described above aligns with how the product is designed to work and an exception must be made by antivirus programs/scanners like McAfee.
For similar situations in the past, making changes to the security settings for McAfee has helped resolving the issue (for example, flagging the agent /bin and /temp directories as an exception).
The Windows agent will have to be flagged as safe to be allowed to execute these .txt.bat files for the jobs to run successfully.