Loading...

Knowledge Center


How to use Access Protection policies in VirusScan Enterprise to prevent malware from changing folder options
Technical Articles ID:   KB53356
Last Modified:  1/30/2017
Rated:


Environment

McAfee VirusScan Enterprise 8.8

Summary

Several viruses have the ability to corrupt or make changes to the areas of the registry that control access to folder options - for example Show Hidden files and folders and Hide protected operating system settings. If  this happens, it is not possible to save changes to these options.

This article details how VirusScan can be used to prevent this from happening.

Solution

IMPORTANT: These instructions directly affect your access to the registry. This can be circumvented by (temporarily) disabling Access Protection.

To prevent modification of folder options:
  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Double-click Access Protection.
  3. Under Categories, select User-Defined Rules, New.
  4. Select Registry Blocking Rule and click OK.
  5. For the Rule name type Prevent modification of hidden folders rule - 1.
  6. For Processes to include, type asterisk (*).
    This ensures that all processes are included. 
  7. For Processes to exclude, type gpupdate.exe and any other process to be excluded, separating processes by a comma and a space.
    The gpupdate.exe process is the Microsoft Group Policy Refresh Utility. See http://technet.microsoft.com/en-us/library/bb490983.aspx 
  8. Under Registry Key or value to protect use the drop down to select HKLM.
  9. In the adjacent field, type  /Software/Microsoft/Windows/CurrentVersion/explorer/advanced/folder/hidden/SHOWALL
  10. Under Rule Type, select Key.
  11. For Registry actions to block select Write to key or value and Create Key or value., then click OK to save changes.
  12. Repeat the steps above, naming the rule Prevent modification of hidden folders rule - 2 and using the path /Software/Microsoft/Windows/CurrentVersion/explorer/advanced/folder/hidden/NOHIDDEN  instead of  /Software/Microsoft/Windows/CurrentVersion/explorer/advanced/folder/hidden/SHOWALL
  13. Repeat the initial steps above, naming the rule Prevent modification of hidden folders rule - 3, using HKCU instead of HKLM and using  /Software/Microsoft/Windows/CurrentVersion/explorer/advanced  instead of  /Software/Microsoft/Windows/CurrentVersion/explorer/advanced/folder/hidden/SHOWALL

Previous Document ID

616142

Rate this document

Affected Products


VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.