Windows agent Suspicious Double File Extension Execution antivirus warning
search cancel

Windows agent Suspicious Double File Extension Execution antivirus warning

book

Article ID: 103750

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

McAfee Endpoint security may end up blocking some or all of the Automic jobs triggering an unexpected function behavior.
The message given by McAffee is something like:

DOMAIN\USER ran [FULL PATH TO WINDOWS AGENT BIN DIRECOTRY]\UCXJWX6.EXE, which tried to access the file [FULL PATH TO WINDOWS AGENT TEMP DIRECTORY]\JAACGFIV.TXT.BAT, violating the rule "Suspicious Double File Extension Execution", and was blocked.
For information about how to respond to this event, see KB85494.

Environment

Release: Automic workload automation 5.00A, 6.00A, 8.00A, 9.00A, 10.x, 11.x, 12.x, 21.0

Cause

This is because as part of execution of jobs, the Automic Windows agent executes a ".txt.bat" file and generates a ".txt" file as report after the job has finished running.
Depending on security settings, this action may be identified as a possible hacker attack method. 

Resolution

The agent's behavior described above aligns with how the product is designed to work and an exception must be made by antivirus programs/scanners like McAfee.
For similar situations in the past, making changes to the security settings for McAfee has helped resolving the issue (for example, flagging the agent /bin and /temp directories as an exception).
The Windows agent will have to be flagged as safe to be allowed to execute these .txt.bat files for the jobs to run successfully.