Four Access Protection (AP) rules provide critical protection to McAfee resources. These rules included exclusions that were previously defined by a process name only. But this fact presented a security risk. The exclusions allow a process that would normally be blocked from an action, to successfully perform that action if the executable was renamed to an excluded process name.

The four rules are:

• Prevent modification of McAfee files and settings
• Prevent modification of McAfee Common Management Agent files and settings
• Prevent modification of McAfee Scan Engine files and settings
• Prevent termination of McAfee processes

VSE 8.8 Patch 9 improves the security of these rules by providing a companion for each that locks down the third-party process name exclusions so that they are not excluded.

To view the new companion rules:

1. Click Start, Programs, McAfee, VirusScan Console.
2. Double-click Access Protection.
3. On the Access Protection tab, select Common Standard Protection.
4. In the right pane, view the following options:

• Prevent modification of McAfee files and settings Enhanced Self-Protection
• Prevent modification of McAfee Common Management Agent files and settings Enhanced Self-Protection
• Prevent modification of McAfee Scan Engine files and settings Enhanced Self-Protection
• Prevent termination of McAfee processes Enhanced Self-Protection

By default, VSE 8.8 Patch 9 adds these rules in Report mode only. Support recommends that you set them to Block after you confirm that any reported process violations must actually be blocked.

NOTE: The difference between the original rule and the companion rule is that the companion rule lists the third-party process names as processes to include. By so doing, a Block can occur for those third-party process names, whereas in prior VSE patches, the action would have been excluded. 

For example, installing DATS via xdat_.exe, run from a remote share, would have worked on previous versions; but, it fails with the companion rule enabled. 

Also, for the four original AP rules, a new setting called Enable Enhanced Self-Protection has been added and enabled by default. This setting only applies to the four original AP rules, and performs a validation check to the Processes to Exclude for each rule. It differs from previous patch releases and adds more security. Before, a process was excluded from those rule protections based on process name only. Now, the process must also be validated as a McAfee or Microsoft process.

If you see many AP rule violations that are BLOCKED for the above rules, deselect the option Enhanced Self-Protection to restore pre-Patch 9 behavior.