Image File Execution Options can't be blocked by Access Protection rules
技術的な記事 ID:
KB89030
最終更新: 1/29/2020
最終更新: 1/29/2020
Image File Execution Options can't be blocked by Access Protection rules
技術的な記事 ID:
KB89030
最終更新: 1/29/2020 環境
McAfee VirusScan Enterprise (VSE) 8.8 Patch 1–9 For details of VSE supported environments, see KB51111. 概要
Microsoft Windows supports a method for loading 問題
With VSE 8.8 Patch 1–9, it is not possible to use VSE Access Protection rules to block entries for IFEO when an entry is created under the following registry key: 解決策
This issue is resolved in VirusScan Enterprise 8.8 Update 10, which is available from the Product Downloads site at: https://www.mcafee.com/enterprise/en-us/downloads/my-products.html. NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products. Updates are cumulative; Technical Support recommends that you install the latest one. The following is extracted from the VSE 8.8 Patch 10 release notes: This release adds the Prevent modification of VirusScan IFEO keys and values Access Protection rule, which protects registry subkeys and values under the Image File Execution Options key. This release fixes a potential vulnerability (CVE-2017-4028). For more information, see SB10193. VSE 8.8 Patch 16 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.
NOTE: VSE 8.8 Patch 16 supports all supported Windows operating systems. 回避策
Manually create the following 25 user-defined Access Protection rules. Protect keys from modification: Use this example to configure the user-defined Access Protection rule to protect the process KEY from modification. Example: Rule type: Registry blocking rule
Rule name: Protect Processes to Include: * Processes to Exclude: <blank> Key or Value to protect: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\** Actions to block: Create, Write, Delete Repeat for each process name. Protect values from modification: Use this example to configure the user-defined Access Protection rule to protect the key's VALUES from modification. NOTE: You must use this procedure for each VSE process listed above, and substitute the process name in each added rule. Example: Rule type: Registry blocking rule
Rule name: Protect Processes to Include: * Processes to Exclude: <blank> Key or Value to protect: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\** Actions to block: Create, Write, Delete
Repeat for each process name. Protect the parent key from DELETE: Add a user-defined Access Protection rule to protect the parent key from being deleted. Rule Name: Prevent deleting IFEO parent key Processes to Include = * Processes to Exclude = <blank> Key or Value to protect: Actions to block: Delete 関連情報
SB10193 - McAfee - Security Bulletin: Updates fix a potential vulnerability in Window-based products (CVE-2017-4028) McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.
NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products. 言語:技術用語集 |
|