cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
krburkley
krburkley
Level 7
Report Inappropriate Content
Message 1 of 2
4 weeks ago

Block .exe but allow user's to copy .exe locally

So I have success when creating a Removable Storage Access File Device Rule to block .exe's from being launched from removable media... however I cannot figure out how to allow user's to run the .exe locally from their machine. I would like to allow users to drag and drop the .exe to their desktop to run, but block on their removable storage devices... (like portable web browsers for example). 

Also, if anyone knows how to configure the rule to successfully show what exectuables are being launched or attempted to launch, so that we can effectively data mine and write procedures and rules accordingly or whitelist a high demand .exe people need to run. Right now i can configure my RSAFD rule to monitor mode but cannot see what executables are being launched. 

Thanks.

0 Kudos
Reply
1 Reply
JaganA
McAfee Employee JaganA
McAfee Employee
Report Inappropriate Content
Message 2 of 2
3 weeks ago

Re: Block .exe but allow user's to copy .exe locally

@krburkley Thanks for choosing Support Community.

I am afraid to inform you that the file can't be allowed to drag and drop.

Secondly, evidence option is not applicable for device rules hence, file name can't be viewed in incident manager.

Just to give little more information about the functionality of the rule:

Removable Storage File Access Device Rule generates incidents on device plug only considering the plugged device matches device definition in the rule - plug event will be generated.

DLP blocks access to device or make the device read-only without generating any incidents after it. This Behavior is by design. This will mean DLP won't create a false monitor incident - you can see that incident type is device plug incident.(not file access block). The device rule will block access to .exe files (or another type of files which user defined in the rule) but no incident will be sent.

The reason for this behavior is the huge number of file access operations that OS does. Many different running processes (like explorer.exe) will try to access blocked files. If we will send notification for every file access user can see hundreds of notifications in a minute.

Hope, this is helpful and addresses your query.

JaganA
McAfee Employee

Was my reply helpful?
If yes, click "Accept as Solution" in my reply and together we can help other members?
0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC