Key benefits: Flexible configuration, and ease of use
The first line of defense against malware is protecting endpoint system access points from threat access. Endpoint Security Threat Prevention Access Protection (AP) prevents unwanted changes to managed systems by restricting access to specified files, shares, registry keys, registry values, while preventing or restricting processes, and services from executing threat behavior. Access Protection provides McAfee-defined rules, and facilitates the creation of user-defined custom AP rules to report, restrict, or block behavior. Access Protection monitors requested actions and analyzes behavior according to defined AP rules.
Access Protection (AP) capabilities in the Threat Prevention module have been enhanced in Endpoint Security 10.5 and provide more flexibility to secure endpoint systems when compared to McAfee VirusScan Enterprise 8.8, and earlier versions of Endpoint Security.
AP enhancements include the ability to:
Additional Access Protection features added in Endpoint Security 10.5 migrate Host IPS 8.0 – IPS user-based custom signatures, and provides more robust exploit management capability with the addition of Registry and Services sub-rules, and full migration of Host IPS signature exceptions and IPS Application Protection rules.
In addition, Access Protection now proactively excludes all McAfee/Intel Security-signed processes from being subject to access controls.
McAfee VirusScan Enterprise 8.8 does not support this capability.
Key benefit: Improved scanning and detection performance
The McAfee Endpoint Security Framework incorporates an entirely redesigned Anti-Malware Engine Core.
The "McAfee AMCore" anti-malware scanning technology of the Threat Prevention module--provides enhanced capabilities to address the requirements of these large environments and counter emerging and advanced malware threats with speed and efficacy. McAfee AMCore intelligently scans only items that really need to be scanned, instead of scanning all items equally. It accomplishes this efficiently without requiring you to make any configuration changes in the product. This technology is proven in performance and is running on millions of consumer endpoints. McAfee AMCore has also been subjected to numerous efficacy and performance tests by third-party organizations, such as AV-TEST.org and AV-Comparatives.org. As with the previous anti- malware engine, each release of McAfee AMCore content undergoes extensive quality and safety testing.
Key benefit: Increased performance and scanning that is invisible to user
What is it? Scanning, especially on-demand full scans, can be resource-intensive. Zero-impact scanning is an on-demand capability that runs only when a system is idle and when users are not on their computers.
How does it work? McAfee Endpoint Security 10.5 monitors the system for idle states by watching disk utilization, user idle state, and full-screen mode (presentation mode). Here are the ways that each of these looks for idle status:
The Threat Prevention module starts scanning within three minutes of determining an idle state based on the above factors. A running scan will pause automatically when users start using their systems or disk utilization increases. Scans resume at the next detected idle state where they left off. A system reboot will not terminate the scan.
Key benefit: Increased protection with advanced next-generation security
The Threat Prevention module in McAfee Endpoint Security 10.5 provides includes enhanced Exploit Prevention detection. This capability builds and improves on the security protections provided in McAfee Host IPS 8.0, and VirusScan Enterprise 8.8, yet provides broader, more comprehensive memory and application call (API) protections, with Endpoint Security’s new integrated architecture. Based off of ongoing research by McAfee Lab's industry leading malware team, leverages updated content-driven protection for targeted application programming interfaces (API).
Endpoint Security Exploit Prevention protection brought over from Host IPS includes buffer overflow and Windows illegal API, class signature engines. The Exploit Prevention signature content is updated monthly in alignment with Microsoft security update bulletins, and can secure Windows endpoint systems immediately, while allowing the deferment of vulnerability patching to scheduled maintenance windows if needed.
Endpoint Security Exploit Prevention signature content currently shares the same content package as Host IPS 8.0. Exploit Prevention signature content release notes for both products are posted here.
One of the most notorious attack-vectors, the Buffer overflow relies on unsecured, or error-prone programming mistakes, relating to an application’s memory space allocation, and results in systems being vulnerable to zero-day exploits. Exploit Prevention stops buffer overflows from executing arbitrary code in the first place, by monitoring user-mode API calls and recognizing when they are called as a result of a buffer overflow. Endpoint Security provides enhanced performance with both generic buffer overflow protection (GBOP) and targeted buffer protection (TBOP), when compared to Host IPS 8.0 protections.
Endpoint Security’s ActiveX exploit monitoring builds off of the McAfee Host IPS 8.0 kill-bit security feature for ActiveX controls. This enhanced kill-bit security layer targets object class identifier’s (CLSID) for browser and application ActiveX controls identified as security vulnerability threats. Exploit Prevention content drives this functionality, and shares similar signature content and severity level mappings as provided in Host IPS 8.0.
GPEP provides security protection against privilege escalation exploits in kernel and user mode.
Supervisor Mode Execution provides protection against kernel vulnerability exploits. SMEP guards against kernel memory corruption, privilege escalation, and shellcode execution to an arbitrary memory address.
DEP is a Microsoft Windows operating system security feature designed to prevent damage from viruses and other security threats by monitoring programs to ensure that they use system memory safely. Because it is enforced by the operating system, this protection provides an increase in performance and API coverage.
Exploit Prevention will report if and when DEP is triggered.
Suspicious caller protection detects code injected on processes running in memory. These exploits attempt to bypass traditional security protection mechanisms such as GBOP and DEP. Suspicious caller will also prevent return-oriented programming-based attacks.
Windows Illegal Use API monitoring builds off of McAfee Host IPS 8.0 security. Exploit Prevention content drives this functionality, and shares similar signature content and severity level mappings as provided in Host IPS 8.0.
<VIDEO LINK - coming soon>
“Securing Endpoints with Endpoint Security Threat Prevention”