Loading...

Knowledge Center


How to protect Image File Execution Options with Access Protection rules
Technical Articles ID:   KB89030
Last Modified:  3/29/2017
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.8

For details of VSE 8.x supported environments, see KB51111.

Summary

Microsoft Windows supports a method for loading DLLs into running processes that leverages the Image File Execution Options (IFEO) registry key.
This key is often used by legitimate software and troubleshooting or diagnostic tools, but it can also be leveraged maliciously.

This article explains the rules to create and the processes to protect for VirusScan Enterprise.
Overview:
  • Add a User Defined access protection rule to protect the KEY for the process. (See Solution 1)
  • Add a User Defined access protection rule to protect the VALUES for the key. (See Solution 2)
  • Repeat steps 1 & 2 for each process.
  • Add a User Defined access protection rule to protect the parent key from being deleted. (Just 1 rule, described in Solution 3)
This procedure creates a total of 25 user defined access protection rules.legitimate

Solution

Protect keys from modification

Use this example to configure the user defined access protection rule to protect the process KEY from modification.
 
Mfeann.exe
Logparser.exe
Mcadmin.exe
Mcconsol.exe
Mcupdate.exe
Restartvse.exe
Scncfg32.exe
shstat.exe
Vstskmgr.exe
wscavexe.exe
scan32.exe
scan64.exe


Example:
Rule type: Registry blocking rule
Rule name: Protect mfeann.exe KEY from IFEO changes
Processes to Include: *
Processes to Exclude: <blank>
Key or Value to protect: KEY
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\**

Actions to block: Create, Write, Delete

Repeat for each process name.

Solution

Protect values from modification

Use this example to see how to configure the user defined access protection rule to protect the key's VALUES from modification.
NOTE: You must use this procedure for each VirusScan Enterprise process listed above, and substitute the process name in each added rule.

Example:
Rule type: Registry blocking rule
Rule name: Protect mfeann.exe VALUES from IFEO changes
Processes to Include: *
Processes to Exclude: <blank>
Key or Value to protect: VALUE
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\**
 
Actions to block: Create, Write, Delete

Repeat for each process name.

Solution

Protect parent key from DELETE

Create a new user defined rule with these specifications:
  1. Rule Name: Prevent deleting IFEO parent key
  2. Processes to Include = *
  3. Processes to Exclude = <blank>
  4. Key or Value to protect:  KEY
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  1. Actions to block: Delete

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.