Loading...

Knowledge Center


How to create or modify an Access Protection Rule from a VSE 8.x or ePO 5.x console
Technical Articles ID:   KB81095
Last Modified:  11/3/2016
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.1, 5.0
McAfee VirusScan Enterprise (VSE) 8.8, 8.7i

For details of VSE 8.x supported environments, see KB51111.

Summary

Contents
How to create a user-defined Access Protection Rule for:

IMPORTANT: When specifying processes to exclude, you must specify a process name only and not the full path to the process. It is not supported to specify full paths to processes. If you do so, there is no guarantee the exclusion will work. Some McAfee default rules contain full path exclusions for processes, but these are special case scenarios that are hard coded to work successfully. Trying to replicate this yourself in an AP policy will fail. For a more flexible and comprehensive process monitoring and enforcement solution, consider using either McAfee Host Intrusion Prevention or McAfee Application Control.

Solution

How to create a user-defined Access Protection Rule for port blocking

VSE 8.x console

  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Double-click Access Protection.
  3. Under Categories, select User-Defined Rules, then New.
  4. Select Port Blocking Rule and click OK.
  5. In the network port access protection rule box, change the following:
    1. Rule Name. Provide a name for the Rule (Example: Block Port 1234)
    2. Process to Include. If you want to specify a specific process, such as example123.exe, then you can. If you want to apply this rule to all processes, use a wild card (*). This is because a full path name will not work.
    3. Process to Exclude. Leave this blank, or if you require it, specify a specific process to exclude as well.
    4. Ports to block. Type either the port or the port range that you want to block. For example, to block port 65 only, type port 65 for the range.
    5. Direction. If you want this rule to apply for both inbound/outbound, select both options.
  6. Click OK to save the rule. 
  7. Click Apply to save the rule on the local system.
    After you have saved your rule, select Block and Report or Report, as required.
  8. Click Apply, then OK.

Back to Contents

ePO 5.x console

NOTE: Before you edit an Access Protection rule in a VSE policy, ensure that VSE is also installed on the ePO server. Some VSE policies are dynamically displayed using information found in the local VSE installation (for example, path information). If  VSE is not installed, you may see policies refer to process names with a (\:::) prefix, which will corrupt the policy if you modify and apply the change. For details about this issue, see KB81980.

  1. Log into the ePO console.
  2. Click Menu, Policy Catalog.
  3. From the Product drop-down menu, select VirusScan Enterprise 8.8 or VirusScan Enterprise 8.7.
  4. From the Category drop-down menu, select Access Protection Policies.
  5. Click on the policy where you want to add the new user-defined Access Protection Rule.
  6. At the top, select either Workstation or Server from the drop-down list.
  7. Under Categories, select User-Defined Rules, then click New.
  8. Select Port Blocking Rule and click OK.
  9. In the network port access protection rule box, make changes to the following sections:
    1. Rule Name. Provide a name for the Rule (Example: Block Port 1234)
    2. Process to Include. If you want to specify a specific process, such as example123.exe, then you can. If you want to apply this rule to all processes, use a wild card (*). This is because a full path name will not work.
    3. Process to Exclude. Leave this blank, or if you require it, specify a specific process to exclude as well.
    4. Ports to block. Type either the port or the port range that you want to block. For example, to block port 65 only, type port 65 for the range.
    5. Direction. If you want this rule to apply for both inbound/outbound, select both options.
  10. Click OK to save the user defined rule.
  11. Click Apply to save the rule.
    After you have saved the rule, select Block and Report or Report, as required.
  12. Click Apply, then OK.

Back to Contents

Solution

How to create a user-defined Access Protection rule for file/folder blocking 

VSE 8.x console

  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Double-click Access Protection.
  3. Under Categories, click User-Defined Rules, then New.
  4. Select File/Folder Blocking Rule, then click OK.
  5. In the File/Folder Blocking rule box, changes the following:
    1. Rule name. Type the name of your rule.
    2. Processes to include. Type an asterisk (*) unless you want to prevent only specific processes. An asterisk (*) specifies all processes.
    3. Processes to exclude. Type the process to exclude. Separate each process with a comma and a space.
    4. File or Folder name to block. Type or browse to the file name or path name you want to protect. For more information about using wildcards, see KB54812.
    5. At the bottom, select the actions that you want to prevent.
  6. Click OK.
    After you have saved your rule, select Block and Report or Report, as required 
  7. Click Apply, then OK.


ePO 5.x console

 

NOTE: Before editing Access Protection rules for VirusScan Enterprise policies ensure that VirusScan Enterprise is installed on the ePO server. Some VirusScan policies are dynamically displayed using information found in the local VirusScan installation, for example, path information. If VirusScan is not installed, you may see policies refer to process names with a "\:::" prefix, which will corrupt the policy if you modify and apply the change.
 

  1. Log into the ePO console.
  2. Click Menu, Policy Catalog.
  3. From the Product drop-down menu, select either VirusScan Enterprise 8.8 or VirusScan Enterprise 8.7.
  4. From the Category drop-down menu, select Access Protection Policies.
  5. Click the policy where you want to add the new user-defined Access Protection Rule.
  6. From the drop-down menu at the top of the page, select either Workstation or Server.
  7. Under Categories, click User-Defined Rules, then New.
  8. Select File/Folder Blocking Rule, then click OK.
  9. In the File/Folder Blocking rule box, changes the following:
    1. Rule name. Type the name of your rule.
    2. Processes to include. Type an asterisk (*) unless you want to prevent only specific processes. An asterisk (*) specifies all processes.
    3. Processes to exclude. Type the process to exclude. Separate each process with a comma and a space.
    4. File or Folder name to block. Type or browse to the file name or path name you want to protect. For more information about using wildcards, see KB54812.
    5. At the bottom, select the actions that you want to prevent.
  10. Click OK.
    After you have saved your rule, select Block and Report or Report, as required 
  11. Click Apply, then OK.

Back to Contents

Solution

How to create a user-defined Access Protection Rule for registry blocking

VSE 8.x console

  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Double-click Access Protection.
  3. Under Categories, select User-Defined Rules, then New.
  4. Select Registry Blocking Rule, then click OK.
  5. In the Registry Blocking Rule section, make changes to the following fields:
    1. Rule name. Type in the name of your rule.
    2. Processes to include. Type an asterisk (*) unless you want to prevent only specific processes. An asterisk (*) specifies all processes.
    3. Processes to exclude. Type the process to exclude. Separate each process with a comma and a space.
    4. Registry Key or value to protect. Select the appropriate registry hive, and in the adjacent field type the registry location. For example: /Software/Microsoft/Windows/CurrentVersion/Policies/System/DisableRegistryTools
    5. Rule Type. Select either Key or Value.
      where:
      • Key is an entire folder.
      • Value is an entry shown on the right hand side when using the registry editor.
    6. Registry actions to block. Select any of the options you want to block.
  6. Click OK.
    After you have saved your rule, select Block and Report or Report, as required 
  7. Click Apply, then OK.

Back to Contents

ePO 5.x console

NOTE: Before you edit an Access Protection rule in a VSE policy, ensure that VSE is also installed on the ePO server. Some VSE policies are dynamically displayed using information found in the local VSE installation (for example, path information). If  VSE is not installed, you may see policies refer to process names with a (\:::) prefix, which will corrupt the policy if you modify and apply the change. For details about this issue, see KB81980.

  1. Log into the ePO console.
  2. Click Menu, Policy Catalog.
  3. From the Product drop-down menu, select VirusScan Enterprise 8.8 or VirusScan Enterprise 8.7.
  4. From the Category drop-down menu, select Access Protection Policies.
  5. Click on the policy where you want to add the new user-defined Access Protection Rule.
  6. At the top select either Workstation or Server from the drop-down list.
  7. Under Categories, click User-Defined Rules, then New.
  8. Select Registry Blocking Rule, then click OK.
  9. In the Registry Blocking Rule section, make changes to the following fields:
    1. Rule name. Type in the name of your rule.
    2. Processes to include. Type an asterisk (*) unless you want to prevent only specific processes. An asterisk (*) specifies all processes.
    3. Processes to exclude. Type the process to exclude. Separate each process with a comma and a space.
    4. Registry Key or value to protect. Select the appropriate registry hive, and in the adjacent field type the registry location. For example: /Software/Microsoft/Windows/CurrentVersion/Policies/System/DisableRegistryTools
    5. Rule Type. Select either Key or Value.
      where:
      • Key is an entire folder.
      • Value is an entry shown on the right hand side when using the registry editor.
    6. Registry actions to block. Select any of the options you want to block.
  10. Click OK.
    After you have saved your rule, select Block and Report or Report, as required 
  11. Click Apply, then OK.

Back to Contents

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.