Image File Execution Options can't be blocked by Access Protection rules

Technical Articles ID: KB89030
Last Modified: 1/29/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.8 Patch 1–9

For details of VSE supported environments, see KB51111.

Summary

Microsoft Windows supports a method for loading DLLs into running processes that uses the Image File Execution Options (IFEO) registry key. This key is often used by legitimate software and troubleshooting or diagnostic tools, but it can also be used maliciously.

Problem

With VSE 8.8 Patch 1–9, it is not possible to use VSE Access Protection rules to block entries for IFEO when an entry is created under the following registry key:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Solution

This issue is resolved in VirusScan Enterprise 8.8 Update 10, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

The following is extracted from the VSE 8.8 Patch 10 release notes:

This release adds the Prevent modification of VirusScan IFEO keys and values Access Protection rule, which protects registry subkeys and values under the Image File Execution Options key. This release fixes a potential vulnerability (CVE-2017-4028). For more information, see SB10193.

NOTE: This issue was previously resolved in VSE 8.8 Patch 8 or 9 Hotfix 1187884 (HF1187884). This release adds the Prevent modification of VirusScan IFEO keys and values Access Protection rule that adds protection for the IFEO registry key.

VSE 8.8 Patch 14 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.

NOTE: VSE 8.8 Patch 14 supports all supported Windows operating systems.

Workaround

Manually create the following 25 user-defined Access Protection rules.

Protect keys from modification:
Use this example to configure the user-defined Access Protection rule to protect the process KEY from modification.

Mfeann.exe

Logparser.exe

Mcadmin.exe

Mcconsol.exe

Mcupdate.exe

Restartvse.exe

Scncfg32.exe

shstat.exe

Vstskmgr.exe

wscavexe.exe

scan32.exe

scan64.exe

Example:

Rule type: Registry blocking rule
Rule name: Protect mfeann.exe KEY from IFEO changes
Processes to Include: *
Processes to Exclude: <blank>
Key or Value to protect: KEY

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\**

Actions to block: Create, Write, Delete

Repeat for each process name.

Protect values from modification:
Use this example to configure the user-defined Access Protection rule to protect the key's VALUES from modification.

NOTE: You must use this procedure for each VSE process listed above, and substitute the process name in each added rule.

Example:

Rule type: Registry blocking rule
Rule name: Protect mfeann.exe VALUES from IFEO changes
Processes to Include: *
Processes to Exclude: <blank>
Key or Value to protect: VALUE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\**

Actions to block: Create, Write, Delete

Repeat for each process name.

Protect the parent key from DELETE:
Add a user-defined Access Protection rule to protect the parent key from being deleted.

Rule Name: Prevent deleting IFEO parent key
Processes to Include = *
Processes to Exclude = <blank>
Key or Value to protect: KEY

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Actions to block: Delete

Related Information

SB10193 - McAfee - Security Bulletin: Updates fix a potential vulnerability in Window-based products (CVE-2017-4028)

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Affected Products

Configuration
Known Issue/Product Defect
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Japanese
Portuguese Brasileiro

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Image File Execution Options can't be blocked by Access Protection rules

Environment

Summary

Problem

Solution

Workaround

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Image File Execution Options can't be blocked by Access Protection rules

Environment

Summary

Problem

Solution

Workaround

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title