McAfee Corporate KB - Image File Execution Options cannot be blocked by Access Protection rules KB89030

Image File Execution Options cannot be blocked by Access Protection rules

Technical Articles ID: KB89030
Last Modified: 5/12/2017
Rated:

Environment

McAfee VirusScan Enterprise (VSE) 8.8 Patch 1 - 9

For details of VSE supported environments, see KB51111.

Summary

Microsoft Windows supports a method for loading DLLs into running processes that leverages the Image File Execution Options (IFEO) registry key. This key is often used by legitimate software and troubleshooting or diagnostic tools, but it can also be leveraged maliciously.

Problem

With VSE 8.8 Patch 1 to 9, it is not possible to use VSE Access Protection rules to block entries for IFEO when an entry is created under the following registry key:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Solution

This issue is resolved in VSE 8.8 Patch 8/9 Hotfix 1187884. This release adds the Prevent modification of VirusScan IFEO keys and values Access Protection rule that adds protection for the IFEO registry key.

{GENPA.EN_US}

Workaround

Manually create the following 25 user-defined Access Protection rules.

Protect keys from modification:
Use this example to configure the user-defined Access Protection rule to protect the process KEY from modification.

Mfeann.exe

Logparser.exe

Mcadmin.exe

Mcconsol.exe

Mcupdate.exe

Restartvse.exe

Scncfg32.exe

shstat.exe

Vstskmgr.exe

wscavexe.exe

scan32.exe

scan64.exe

Example:

Rule type: Registry blocking rule
Rule name: Protect mfeann.exe KEY from IFEO changes
Processes to Include: *
Processes to Exclude: <blank>
Key or Value to protect: KEY

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\**

Actions to block: Create, Write, Delete

Repeat for each process name.

Protect values from modification:
Use this example to configure the user-defined Access Protection rule to protect the key's VALUES from modification.

NOTE: You must use this procedure for each VSE process listed above, and substitute the process name in each added rule.

Example:

Rule type: Registry blocking rule
Rule name: Protect mfeann.exe VALUES from IFEO changes
Processes to Include: *
Processes to Exclude: <blank>
Key or Value to protect: VALUE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\**

Actions to block: Create, Write, Delete

Repeat for each process name.

Protect the parent key from DELETE:
Add a user-defined Access Protection rule to protect the parent key from being deleted.

Rule Name: Prevent deleting IFEO parent key
Processes to Include = *
Processes to Exclude = <blank>
Key or Value to protect: KEY

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Actions to block: Delete

Related Information

SB10193 - McAfee - Security Bulletin: Updates fix a potential vulnerability in Window-based products (CVE-2017-4028)

Affected Products

Configuration
Known Issue/Product Defect
VirusScan Enterprise 8.8

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center