cancel
Showing results for 
Search instead for 
Did you mean: 
DimSys
Level 7

Unable to exclude whitelisted applications from protection rule

Jump to solution

HI!

We use Host DLP 9.2 Patch 2 (ePO 4.6.6). And we want to use Removable Storage File Access Protection Rules.

We have deployed rule with following conditions:

Connected device IS "All USB with NTFS-or-FAT"

Connected device IS NOT "Encrypted with McAfee Encryption"

The file being accessed IS any of: " '.EXE','.COM','.TMP', etc"

The following whitelisted applications will be excluded from this rule: "WhitelistApps".

In group WhitelistApps we add some applications: winword.exe, excel.exe.

As you can see we want to block access to TMP files because we have some reasons to consider this files as dangerous.

But if we try save Winword file (some.docx) direct to USB-drive, this operation is blocked by DLP.

In "Process Monitor" (from Sysinternals Suite) we see:

Process Name: winword.exe

Operation: CreateFile

Path: J:\734983746.tmp

Result: ACCESS DENIED

Detail: Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a

Does anybody have any idea, why whitelisted application does not excluded from blocking?

UPD. The problem persist on Windows 7 Ult SP1 and Windows XP Pro SP3. And with any application (not only winword.exe).

Regards.

Message was edited by: DimSys on 12/12/13 11:55:35 AM ALMT

Message was edited by: DimSys on 12/12/13 2:11:17 PM ALMT
0 Kudos
1 Solution

Accepted Solutions
vimalnavis
Level 13

Re: Unable to exclude whitelisted applications from protection rule

Jump to solution

That's right. Whitelisted applications are excluded/exempted from rules and that's what the Product Guide says. Does not mean they are allowed to execute blocked files.

0 Kudos
5 Replies
vimalnavis
Level 13

Re: Unable to exclude whitelisted applications from protection rule

Jump to solution

Looks like everything is working as expected. You are excluding winword.exe but not .tmp files. Office creates .tmp files before saving files. I do not see how you can save office files without excluding .tmp files.

0 Kudos
DimSys
Level 7

Re: Unable to exclude whitelisted applications from protection rule

Jump to solution

It's looks like my mistake.

In Product Guide we see "...Whitelisted Application definitions can be included in the rule to exempt specifically named files

from the blocking rule."

I have thought it means whitelisted apps can EXECUTE a blocked files.

But in fact the whitelisted apps can be EXECUTED from removable storage.

Am I right at now?

Message was edited by: DimSys on 12/13/13 9:38:17 AM ALMT
0 Kudos
vimalnavis
Level 13

Re: Unable to exclude whitelisted applications from protection rule

Jump to solution

That's right. Whitelisted applications are excluded/exempted from rules and that's what the Product Guide says. Does not mean they are allowed to execute blocked files.

0 Kudos
DimSys
Level 7

Re: Unable to exclude whitelisted applications from protection rule

Jump to solution

May be it'll better to rename this feature to "Whitelisted Files"? Because customers can block not only EXE but any type of files. For example BAT or VBS and this is not an application files.

And  I think it's needed an additional feature that will allow to exclude some Applications (Word, WinRAR etc.) to have ACCESS to blocked files on removable storage (like in situation described in my first post).

0 Kudos
vimalnavis
Level 13

Re: Unable to exclude whitelisted applications from protection rule

Jump to solution

How to submit a Product Enhancement Request (PER)

https://kc.mcafee.com/corporate/index?page=content&id=KB60021

0 Kudos