Explanation of the McAfee Agent 5.x policy setting 'Self-Protection (Windows Only)'

Technical Articles ID: KB82881
Last Modified: 2/2/2021

Environment

McAfee Agent (MA) 5.x

Summary

The MA 5.x Extension includes the policy setting Self-Protection (Windows Only) for Windows systems. Although briefly mentioned in the McAfee Agent Product Guides, this article provides supplemental information about Self Protection.

When enabled, this setting prevents unauthorized access and changes to the MA 5.x Windows client files, folders, registry, and executables. This protection is beyond the security permissions set for MA folders and files during installation.

The new MA feature is similar to the Access Protection feature of VirusScan Enterprise (VSE). But, unlike VSE, there are no granular policy settings to allow, or only report tried access. The feature is designed to have two states and is applicable only to Windows platforms with MA 5.x installed:

On (block unauthorized attempts)
Off (allow unauthorized attempts)

Currently, unauthorized access attempts are not logged outside of a McAfee-specific log file. This fact means that access attempts by a non-trusted process are:

Not currently logged to the Windows Event Viewer
Or
Displayed in a MA tray icon notification.

Lock down of the MA services is available starting with MA 5.0.1.

Sometimes, you might need to disable self-protection for debugging purposes. Implement with caution and be fully aware of the risks involved. Disabling self-protection compromises MA security and could make it vulnerable to attacks. If you disable self-protection, do it only for a short duration, and then re-enable. When self-protection is disabled, MA is still protected by the file and folder permissions set through Windows Access Control List. But when possible you are advised to:

Isolate the client system from potential attacks.
Consider strengthening the firewall rules while Self-Protection is disabled.

IMPORTANT:

You can only control self-protection through the MA policy. It can't be changed on the local system.
Contact McAfree Enterprise Support if your client is not managed via ePolicy Orchestrator. See the Related Information section for details.

NOTE: This article is viewable only by registered ServicePortal users.
For more information, see a related article: KB82740 - REGISTERED - How to temporarily disable self-protection for McAfee Agent 5.x in the McAfee Agent policy

Related Information

Locating Enterprise Documentation

For product documents, go to the Product Documentation portal.

Contacting McAfee

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Affected Products

McAfee Agent 5.7.x
McAfee Agent 5.6.x

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Knowledge Center

Explanation of the McAfee Agent 5.x policy setting 'Self-Protection (Windows Only)'

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Explanation of the McAfee Agent 5.x policy setting 'Self-Protection (Windows Only)'

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title