Loading...

Knowledge Center

Image File Execution Options cannot be blocked by Access Protection rules
Technical Articles ID:   KB89030
Last Modified:  11/13/2017
Rated:

Environment

McAfee VirusScan Enterprise (VSE) 8.8 Patch 1 - 9

For details of VSE supported environments, see KB51111.

Summary

Microsoft Windows supports a method for loading DLLs into running processes that leverages the Image File Execution Options (IFEO) registry key. This key is often used by legitimate software and troubleshooting or diagnostic tools, but it can also be leveraged maliciously.

Problem

With VSE 8.8 Patch 1 - 9, it is not possible to use VSE Access Protection rules to block entries for IFEO when an entry is created under the following registry key:
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Solution

This issue is resolved in VirusScan Enterprise 8.8 Update 10, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

The following is extracted from the VSE 8.8 Patch 10 release notes (PD27206)

This release adds the Prevent modification of VirusScan IFEO keys and values Access Protection rule, which protects registry subkeys and values under the Image File Execution Options key. This release fixes a potential vulnerability (CVE-2017-4028). For more information, see SB10193.

NOTE: This issue was previously resolved in VSE 8.8 Patch 8 or 9 Hotfix 1187884 (HF1187884). This release adds the Prevent modification of VirusScan IFEO keys and values Access Protection rule that adds protection for the IFEO registry key.

VSE 8.8 Patch 11 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.

NOTE: VSE 8.8 Patch 11 supports all supported Windows operating systems.

Workaround

Manually create the following 25 user-defined Access Protection rules.

Protect keys from modification:
Use this example to configure the user-defined Access Protection rule to protect the process KEY from modification.
 
Mfeann.exe
Logparser.exe
Mcadmin.exe
Mcconsol.exe
Mcupdate.exe
Restartvse.exe
Scncfg32.exe
shstat.exe
Vstskmgr.exe
wscavexe.exe
scan32.exe
scan64.exe

Example:
Rule type: Registry blocking rule
Rule name: Protect mfeann.exe KEY from IFEO changes
Processes to Include: *
Processes to Exclude: <blank>
Key or Value to protect: KEY
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\**

Actions to block: Create, Write, Delete

Repeat for each process name.

Protect values from modification:
Use this example to configure the user-defined Access Protection rule to protect the key's VALUES from modification.

NOTE: You must use this procedure for each VSE process listed above, and substitute the process name in each added rule.

Example:
Rule type: Registry blocking rule
Rule name: Protect mfeann.exe VALUES from IFEO changes
Processes to Include: *
Processes to Exclude: <blank>
Key or Value to protect: VALUE
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\**
 
Actions to block: Create, Write, Delete

Repeat for each process name.

Protect the parent key from DELETE:
Add a user-defined Access Protection rule to protect the parent key from being deleted.

Rule Name: Prevent deleting IFEO parent key
Processes to Include = *
Processes to Exclude = <blank>
Key or Value to protect:  KEY
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Actions to block: Delete

Related Information

SB10193 - McAfee - Security Bulletin: Updates fix a potential vulnerability in Window-based products (CVE-2017-4028)

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.