No options are available from the command line to disable the default Access Protection rules for ENSLTP. Currently, the only way to disable the rules is from the ePolicy Orchestrator policy, or by following these steps.
To disable the default Access Protection rules manually for ENSLTP 10.5.3 and later:
- Determine the Access Protection rule index:
/opt/isec/ens/threatprevention/bin/isecav –getallaprules
The following output displays:
----------------------------------------------------------------------------------------------------------------------------------------------
|Index Rule Name Block Status Report Status Origin |
----------------------------------------------------------------------------------------------------------------------------------------------
|1 IDS_AP_RULE_PREVENT_CREATE_DELETE_RENAME_HARDLINK_STARTUPFILES_LINUX Disabled Enabled McAfee-defined |
|2 IDS_AP_RULE_PREVENT_MODIFICATION_PASSWORDFILES_LINUX Disabled Disabled McAfee-defined |
|3 IDS_AP_RULE_PREVENT_PERMISSION_OWNERSHIP_STARTUPFILES_LINUX Disabled Enabled McAfee-defined |
|4 IDS_AP_RULE_PREVENT_READ_WRITE_DELETE_RENAME_HARDLINK_PERMISSION. Disabled Enabled McAfee-defined |
|5 IDS_AP_RULE_PREVENT_CREATION_LINK_SYSTEMFILES_LINUX Disabled Disabled McAfee-defined |
|6 IDS_AP_RULE_PREVENT_WRITE_STARTUPFILES_LINUX Disabled Disabled McAfee-defined |
|7 IDS_AP_RULE_PREVENT_WRITE_DELETE_RENAME_HARDLINK_PERMISSION_ Disabled Disabled McAfee-defined |
- Run the following command for each Access Protection rule to disable it:
/opt/isec/ens/threatprevention/bin/isecav --editaprule <rule index> --block disable --report disable
For example, if you want to disable the rule with index 1:
/opt/isec/ens/threatprevention/bin/isecav --editaprule 1 --block disable --report disable
- Verify that the Access Protection rules are disabled:
/opt/isec/ens/threatprevention/bin/isecav –getallaprules
The following output displays:
----------------------------------------------------------------------------------------------------------------------------------------------
|Index Rule Name Block Status Report Status Origin |
----------------------------------------------------------------------------------------------------------------------------------------------
|1 IDS_AP_RULE_PREVENT_CREATE_DELETE_RENAME_HARDLINK_STARTUPFILES_LINUX Disabled Disabled McAfee-defined |
|2 IDS_AP_RULE_PREVENT_MODIFICATION_PASSWORDFILES_LINUX Disabled Disabled McAfee-defined |
|3 IDS_AP_RULE_PREVENT_PERMISSION_OWNERSHIP_STARTUPFILES_LINUX Disabled Enabled McAfee-defined |
|4 IDS_AP_RULE_PREVENT_READ_WRITE_DELETE_RENAME_HARDLINK_PERMISSION. Disabled Enabled McAfee-defined |
|5 IDS_AP_RULE_PREVENT_CREATION_LINK_SYSTEMFILES_LINUX Disabled Disabled McAfee-defined |
|6 IDS_AP_RULE_PREVENT_WRITE_STARTUPFILES_LINUX Disabled Disabled McAfee-defined |
|7 IDS_AP_RULE_PREVENT_WRITE_DELETE_RENAME_HARDLINK_PERMISSION_ Disabled Disabled McAfee-defined |
To disable the default Access Protection rules manually for ENSLTP 10.5.0-10.5.2:
- Stop the isectpd service:
/opt/isec/ens/threatprevention/bin # ./isectpdControl.sh stop
- Remove the Access Protection rule cache:
/opt/isec/ens/threatprevention/var # rm -rf APRuleCache.db
- Take a backup of the default Access Protection rules:
/opt/isec/ens/threatprevention/var/ap # cp -r DefaultRules/ DefaultRules_bk
/opt/isec/ens/threatprevention/var/ap # ls
The following output displays:
DefaultRules DefaultRules_bk
- Edit the XML file for each Access Protection rule as follows to disable it. For example, change the following line in the file AP_3021.xml from:
<AacRule GroupTag="Default" IsEnabled="true" ReactionType="AAC_REACTION_BLOCK" ReportEvent="true" RuleGuid="PREVENT_MODIFICATION_PASSWORDFILES_LINUX">
To:
<AacRule GroupTag="Default" IsEnabled="true" ReactionType="AAC_REACTION_ALLOW" ReportEvent="false" RuleGuid="PREVENT_MODIFICATION_PASSWORDFILES_LINUX">
- Start the isectpd service:
/opt/isec/ens/threatprevention/bin # ./isectpdControl.sh start
- Verify that the Access Protection rules are disabled:
/opt/isec/ens/threatprevention/bin # ./isecav --getallap
The following output displays:
---------------------------------------------------------------------------------------------------------------------------------------------
| Index Rule Name Block Status Report Status Origin |
---------------------------------------------------------------------------------------------------------------------------------------------
|1 IDS_AP_RULE_PREVENT_CREATION_LINK_SYSTEMFILES_LINUX Disabled Disabled McAfee-defined |
|2 IDS_AP_RULE_PREVENT_READ_WRITE_DELETE_RENAME_ Disabled Enabled McAfee-defined |
HARDLINK_PERMISSION_ OWNERSHIP_VMWARE_DEVICES_LINUX
|3 IDS_AP_RULE_PREVENT_MODIFICATION_PASSWORDFILES_LINUX Disabled Disabled McAfee-defined |
