Windows agent Suspicious Double File Extension Execution antivirus warning
search cancel

Windows agent Suspicious Double File Extension Execution antivirus warning


Article ID: 103750


Updated On:


CA Automic Workload Automation - Automation Engine CA Automic One Automation


McAfee Endpoint security may end up blocking some or all of the Automic jobs triggering an unexpected function behavior.
The message given by McAffee is something like:

DOMAIN\USER ran [FULL PATH TO WINDOWS AGENT BIN DIRECOTRY]\UCXJWX6.EXE, which tried to access the file [FULL PATH TO WINDOWS AGENT TEMP DIRECTORY]\JAACGFIV.TXT.BAT, violating the rule "Suspicious Double File Extension Execution", and was blocked.
For information about how to respond to this event, see KB85494.


Release: Automic workload automation 5.00A, 6.00A, 8.00A, 9.00A, 10.x, 11.x, 12.x, 21.0


This is because as part of execution of jobs, the Automic Windows agent executes a ".txt.bat" file and generates a ".txt" file as report after the job has finished running.
Depending on security settings, this action may be identified as a possible hacker attack method. 


The agent's behavior described above aligns with how the product is designed to work and an exception must be made by antivirus programs/scanners like McAfee.
For similar situations in the past, making changes to the security settings for McAfee has helped resolving the issue (for example, flagging the agent /bin and /temp directories as an exception).
The Windows agent will have to be flagged as safe to be allowed to execute these .txt.bat files for the jobs to run successfully.