cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
krburkley
Level 7
Report Inappropriate Content
Message 1 of 2
‎09-20-2019 12:57 PM

Block .exe but allow user's to copy .exe locally

So I have success when creating a Removable Storage Access File Device Rule to block .exe's from being launched from removable media... however I cannot figure out how to allow user's to run the .exe locally from their machine. I would like to allow users to drag and drop the .exe to their desktop to run, but block on their removable storage devices... (like portable web browsers for example). 

Also, if anyone knows how to configure the rule to successfully show what exectuables are being launched or attempted to launch, so that we can effectively data mine and write procedures and rules accordingly or whitelist a high demand .exe people need to run. Right now i can configure my RSAFD rule to monitor mode but cannot see what executables are being launched. 

Thanks.

0 Kudos
Reply
1 Reply
Highlighted
JaganA
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2
‎09-22-2019 11:08 PM

Re: Block .exe but allow user's to copy .exe locally

@krburkley Thanks for choosing Support Community.

I am afraid to inform you that the file can't be allowed to drag and drop.

Secondly, evidence option is not applicable for device rules hence, file name can't be viewed in incident manager.

Just to give little more information about the functionality of the rule:

Removable Storage File Access Device Rule generates incidents on device plug only considering the plugged device matches device definition in the rule - plug event will be generated.

DLP blocks access to device or make the device read-only without generating any incidents after it. This Behavior is by design. This will mean DLP won't create a false monitor incident - you can see that incident type is device plug incident.(not file access block). The device rule will block access to .exe files (or another type of files which user defined in the rule) but no incident will be sent.

The reason for this behavior is the huge number of file access operations that OS does. Many different running processes (like explorer.exe) will try to access blocked files. If we will send notification for every file access user can see hundreds of notifications in a minute.

Hope, this is helpful and addresses your query.

JaganA
McAfee Employee

Was my reply helpful?
If yes, click "Accept as Solution" in my reply and together we can help other members?
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC