Recent updates to this article:
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
| Date |
Update |
| Aug 23, 2017 |
Example added (installing DATS via xdat_.exe) |
Four Access Protection (AP) rules that provide critical protection to McAfee resources included exclusions that were previously defined by process name only. This presented a security risk because the exclusions allow a process that would normally be blocked from an action to successfully perform that action if the executable was renamed to an excluded process name.
The four rules are:
- Prevent modification of McAfee files and settings
- Prevent modification of McAfee Common Management Agent files and settings
- Prevent modification of McAfee Scan Engine files and settings
- Prevent termination of McAfee processes
VSE 8.8 Patch 9 improves the security of these rules by providing a companion for each that locks down the third-party process name exclusions so that they are
not excluded.
To view the new companion rules:
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click Access Protection.
- On the Access Protection tab select Common Standard Protection.
- In the right pane, view the following options:
- Prevent modification of McAfee files and settings Enhanced Self-Protection (KB88263)
- Prevent modification of McAfee Common Management Agent files and settings Enhanced Self-Protection (KB88263)
- Prevent modification of McAfee Scan Engine files and settings Enhanced Self-Protection (KB88263)
- Prevent termination of McAfee processes Enhanced Self-Protection (KB88263)
By default, VSE 8.8 Patch 9 adds these rules in
Report mode only. Support recommends setting them to
Block after you confirm that any reported process violations should actually be blocked.
NOTE: The difference between the original rule and the companion rule is that the companion rule lists the third-party process names as
processes to include. By so doing, a
Block can occur for those third-party process names, whereas in prior VSE patches, the action would have been excluded.
For example, installing DATS via xdat_.exe, run from a remote share, would have worked on previous versions; however, it will fail with the companion rule enabled.
Additionally, for the four original AP rules, a new setting called
Enable Enhanced Self-Protection has been added (and enabled by default). This setting only applies to the four original AP rules, and performs a validation check to the
Processes to Exclude for each rule. This differs from prior patch releases and adds more security. Now, instead of being excluded from those rule protections based on process name only, the process must also be validated as a McAfee or Microsoft process.
If you see a large number of AP rule violations that are BLOCKED for the above rules, uncheck the option
Enhanced Self-Protection to restore pre-Patch 9 behavior.
