Four Access Protection (AP) rules provide critical protection to McAfee resources. These rules included exclusions that were previously defined by a process name only. But this fact presented a security risk. The exclusions allow a process that would normally be blocked from an action, to successfully perform that action if the executable was renamed to an excluded process name.
The four rules are:
- Prevent modification of McAfee files and settings
- Prevent modification of McAfee Common Management Agent files and settings
- Prevent modification of McAfee Scan Engine files and settings
- Prevent termination of McAfee processes
VSE 8.8
Patch 9 improves the security of these rules by providing a companion for each that locks down the third-party process name exclusions so that they are
not excluded.
To view the new companion rules:
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click Access Protection.
- On the Access Protection tab, select Common Standard Protection.
- In the right pane, view the following options:
- Prevent modification of McAfee files and settings Enhanced Self-Protection
- Prevent modification of McAfee Common Management Agent files and settings Enhanced Self-Protection
- Prevent modification of McAfee Scan Engine files and settings Enhanced Self-Protection
- Prevent termination of McAfee processes Enhanced Self-Protection
By default, VSE 8.8
Patch 9 adds these rules in
Report mode only. Support recommends that you set them to
Block after you confirm that any reported process violations must actually be blocked.
NOTE: The difference between the original rule and the companion rule is that the companion rule lists the third-party process names as
processes to include. By so doing, a
Block can occur for those third-party process names, whereas in prior VSE
patches, the action would have been excluded.
For example, installing DATS via
xdat_.exe, run from a remote share, would have worked on previous versions; but, it fails with the companion rule enabled.
Also, for the four original AP rules, a new setting called
Enable Enhanced Self-Protection has been added and enabled by default. This setting only applies to the four original AP rules, and performs a validation check to the
Processes to Exclude for each rule. It differs from previous
patch releases and adds more security. Before, a process was excluded from those rule protections based on process name only. Now, the process must also be validated as a McAfee or Microsoft process.
If you see many AP rule violations that are BLOCKED for the above rules, deselect the option
Enhanced Self-Protection to restore pre-Patch 9 behavior.