How to create or modify an Access Protection Rule from a VSE 8.x or ePO 5.x console
Technical Articles ID:
KB81095
Last Modified: 7/20/2020
Environment
McAfee ePolicy Orchestrator (ePO) 5.x
McAfee VirusScan Enterprise (VSE) 8.8
For details of VSE 8.x supported environments, see KB51111.
Summary
Contents
How to create a user-defined Access Protection Rule for:
IMPORTANT: When you specify processes to exclude, you must specify a process name only and not the full path to the process. It is not supported to specify full paths to processes. If you do so, there is no guarantee the exclusion works. Some McAfee default rules contain full path exclusions for processes. But, these rules are special case scenarios that are hard coded to work successfully. Attempts to replicate this rule yourself in an AP policy fails. For a more flexible and comprehensive process monitoring and enforcement solution, consider using either McAfee Host Intrusion Prevention or McAfee Application Control.
Solution
How to create a user-defined Access Protection Rule for port blocking
VSE 8.x console
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click Access Protection.
- Under Categories, select User-Defined Rules, then New.
- Select Port Blocking Rule and click OK.
- In the network port access protection rule field, change the following:
- Rule Name. Provide a name for the Rule (Example: Block Port 1234)
- Process to Include. You can specify a specific process if needed. Example: example123.exe. If you want to apply this rule to all processes, use a wild card (*). A wild card is needed because a full path name does not work.
- Process to Exclude. Leave it blank, or if you require it, specify a specific process to exclude as well.
- Ports to block. Type either the port or the port range that you want to block. For example, to block port 65 only, type port 65 for the range.
- Direction. If you want this rule to apply for both inbound/outbound, select both options.
- Click OK. The rule gets saved.
- Click Apply. The rule gets saved on the local system.
After you have saved your rule, select Block and Report or Report, as required.
- Click Apply, then OK.
Back to Contents
ePO 5.x console
NOTE: Before you edit an Access Protection rule in a VSE policy, ensure that VSE is also installed on the ePO server. Some VSE policies are dynamically displayed using information found in the local VSE installation (for example, path information). If VSE is not installed, you might see policies refer to process names with a (\:::) prefix, which corrupts the policy if you modify and apply the change. For details about this issue, see KB81980.
- Log on to the ePO console.
- Click Menu, Policy Catalog.
- From the Product drop-down list, select VirusScan Enterprise 8.8 or VirusScan Enterprise 8.7.
- From the Category drop-down list, select Access Protection Policies.
- Click the policy where you want to add the new user-defined Access Protection Rule.
- At the top, select either Workstation or Server from the drop-down list.
- Under Categories, select User-Defined Rules, then click New.
- Select Port Blocking Rule and click OK.
- In the network port access protection rule field, edit the following sections:
- Rule Name. Provide a name for the Rule (Example: Block Port 1234)
- Process to Include. You can specify a specific process if needed. Example: example123.exe. If you want to apply this rule to all processes, use a wild card (*). A wild card is needed because a full path name does not work.
- Process to Exclude. Leave it blank, or if you require it, specify a specific process to exclude as well.
- Ports to block. Type either the port or the port range that you want to block. For example, to block port 65 only, type port 65 for the range.
- Direction. If you want this rule to apply for both inbound/outbound, select both options.
- Click OK. The user-defined rule gets saved.
- Click Apply. The rule gets saved.
After you have saved the rule, select Block and Report or Report, as required.
- Click Apply, then OK.
Back to Contents
Solution
How to create a user-defined Access Protection rule for file/folder blocking
VSE 8.x console
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click Access Protection.
- Under Categories, click User-Defined Rules, then New.
- Select File/Folder Blocking Rule, then click OK.
- In the File/Folder Blocking rule field, changes the following:
- Rule name. Type the name of your rule.
- Processes to include. Type an asterisk (*) unless you want to prevent only specific processes. An asterisk (*) specifies all processes.
- Processes to exclude. Type the process to exclude. Separate each process with a comma and a space.
- File or Folder name to block. Type or browse to the file name or path name you want to protect. For more information about using wildcards, see KB54812.
- At the bottom, select the actions that you want to prevent.
- Click OK.
After you have saved your rule, select Block and Report or Report, as required
- Click Apply, then OK.
ePO 5.x console
NOTE: Before editing Access Protection rules for VirusScan Enterprise policies, make sure that VirusScan Enterprise is installed on the ePO server. Some VirusScan policies are dynamically displayed using information found in the local VirusScan installation, for example, path information. If VirusScan is not installed, you might see policies refer to process names with a "\:::" prefix, which corrupts the policy if you modify and apply the change.
- Log on to the ePO console.
- Click Menu, Policy Catalog.
- From the Product drop-down list, select either VirusScan Enterprise 8.8 or VirusScan Enterprise 8.7.
- From the Category drop-down list, select Access Protection Policies.
- Click the policy where you want to add the new user-defined Access Protection Rule.
- From the drop-down list at the top of the page, select either Workstation or Server.
- Under Categories, click User-Defined Rules, then New.
- Select File/Folder Blocking Rule, then click OK.
- In the File/Folder Blocking rule field, changes the following:
- Rule name. Type the name of your rule.
- Processes to include. Type an asterisk (*) unless you want to prevent only specific processes. An asterisk (*) specifies all processes.
- Processes to exclude. Type the process to exclude. Separate each process with a comma and a space.
- File or Folder name to block. Type or browse to the file name or path name you want to protect. For more information about using wildcards, see KB54812.
- At the bottom, select the actions that you want to prevent.
- Click OK.
After you have saved your rule, select Block and Report or Report, as needed
- Click Apply, then OK.
Back to Contents
Solution
How to create a user-defined Access Protection Rule for registry blocking
VSE 8.x console
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click Access Protection.
- Under Categories, select User-Defined Rules, then New.
- Select Registry Blocking Rule, then click OK.
- In the Registry Blocking Rule section, edit the following fields:
- Rule name. Type in the name of your rule.
- Processes to include. Type an asterisk (*) unless you want to prevent only specific processes. An asterisk (*) specifies all processes.
- Processes to exclude. Type the process to exclude. Separate each process with a comma and a space.
- Registry Key or value to protect. Select the appropriate registry, and in the adjacent field type the registry location. For example: /Software/Microsoft/Windows/CurrentVersion/Policies/System/DisableRegistryTools
- Rule Type. Select either Key or Value.
Where:
- Key is an entire folder.
- Value is an entry shown on the right side when using the registry editor.
- Registry actions to block. Select any of the options you want to block.
- Click OK.
After you have saved your rule, select Block and Report or Report, as needed
- Click Apply, then OK.
Back to Contents
ePO 5.x console
NOTE: Before you edit an Access Protection rule in a VSE policy, make sure that VSE is also installed on the ePO server. Some VSE policies are dynamically displayed using information found in the local VSE installation (for example, path information). If VSE is not installed, you might see policies refer to process names with a (\:::) prefix, which corrupts the policy if you modify and apply the change. For details about this issue, see KB81980.
- Log on to the ePO console.
- Click Menu, Policy Catalog.
- From the Product drop-down list, select VirusScan Enterprise 8.8 or VirusScan Enterprise 8.7.
- From the Category drop-down list, select Access Protection Policies.
- Click the policy where you want to add the new user-defined Access Protection Rule.
- At the top, select Workstation or Server from the drop-down list.
- Under Categories, click User-Defined Rules, then New.
- Select Registry Blocking Rule, then click OK.
- In the Registry Blocking Rule section, edit the following fields:
- Rule name. Type in the name of your rule.
- Processes to include. Type an asterisk (*) unless you want to prevent only specific processes. An asterisk (*) specifies all processes.
- Processes to exclude. Type the process to exclude. Separate each process with a comma and a space.
- Registry Key or value to protect. Select the appropriate registry hive, and in the adjacent field type the registry location. For example: /Software/Microsoft/Windows/CurrentVersion/Policies/System/DisableRegistryTools
- Rule Type. Select either Key or Value.
Where:
- Key is an entire folder.
- Value is an entry shown on the right side when using the registry editor.
- Registry actions to block. Select any of the options you want to block.
- Click OK.
After you have saved your rule, select Block and Report or Report, as needed
- Click Apply, then OK.
Back to Contents
|
Loading...
