New Access Protection rules with VirusScan Enterprise 8.8 Patch 9

Four Access Protection (AP) rules that provide critical protection to McAfee resources, included exclusions. These exclusions were previously defined by process name only. It presented a security risk because the exclusions allow a process that would normally be blocked from an action to successfully perform that action if the executable was renamed to an excluded process name.

The four rules are:

• Prevent modification of McAfee files and settings
• Prevent modification of McAfee Common Management Agent files and settings
• Prevent modification of McAfee Scan Engine files and settings
• Prevent termination of McAfee processes

VSE 8.8 Patch 9 improves the security of these rules by providing a companion for each that locks down the third-party process name exclusions so that they are not excluded.

To view the new companion rules:

1. Click Start, Programs, McAfee, VirusScan Console.
2. Double-click Access Protection.
3. On the Access Protection tab, select Common Standard Protection.
4. In the right pane, view the following options:

• Prevent modification of McAfee files and settings Enhanced Self-Protection
• Prevent modification of McAfee Common Management Agent files and settings Enhanced Self-Protection
• Prevent modification of McAfee Scan Engine files and settings Enhanced Self-Protection
• Prevent termination of McAfee processes Enhanced Self-Protection

For more information, see KB88263.

By default, VSE 8.8 Patch 9 adds these rules in Report mode only. Support recommends that you set them to Block after you confirm that any reported process violations must actually be blocked.

NOTE: The difference between the original rule and the companion rule is that the companion rule lists the third-party process names as processes to include. By so doing, a Block can occur for those third-party process names, whereas in prior VSE patches, the action would have been excluded. 

For example, installing DATS via xdat_.exe, run from a remote share, would have worked on previous versions; but, it fails with the companion rule enabled. 

Also, for the four original AP rules, a new setting called Enable Enhanced Self-Protection has been added and enabled by default. This setting only applies to the four original AP rules, and performs a validation check to the Processes to Exclude for each rule. It differs from previous patch releases and adds more security. Now, instead of being excluded from those rule protections based on process name only, the process must also be validated as a McAfee or Microsoft process.

If you see many AP rule violations that are BLOCKED for the above rules, deselect the option Enhanced Self-Protection to restore pre-Patch 9 behavior.