Showing results for 
Search instead for 
Did you mean: 

Threat Prevention


Enhanced Access Protection

Key benefits: Flexible configuration, and ease of use

The first line of defense against malware is protecting endpoint system access points from threat access. Endpoint Security Threat Prevention Access Protection (AP) prevents unwanted changes to managed systems by restricting access to specified files, shares, registry keys, registry values, while preventing or restricting processes, and services from executing threat behavior. Access Protection provides McAfee-defined rules, and facilitates the creation of user-defined custom AP rules to report, restrict, or block behavior. Access Protection monitors requested actions and analyzes behavior according to defined AP rules.

Access Protection (AP) capabilities in the Threat Prevention module have been enhanced in Endpoint Security 10.5 and provide more flexibility to secure endpoint systems when compared to McAfee VirusScan Enterprise 8.8, and earlier versions of Endpoint Security.

AP enhancements include the ability to:

  • Specify more file and registry operations (such as read, write, create, delete).
  • Create a single AP rule to protect files and registry entries instead of protecting only one per rule.
  • Include or exclude processes at the rule level, based on file path, MD5, and digital signer, rather than simply based on file path.
  • Create global exclusions that apply to all AP rules.

Additional Access Protection features added in Endpoint Security 10.5 migrate Host IPS 8.0 – IPS user-based custom signatures, and provides more robust exploit management capability with the addition of Registry and Services sub-rules, and full migration of Host IPS signature exceptions and IPS Application Protection rules.

  • Integrated Intrusion prevention technology with Host IPS-like user-defined custom signature and exploit management capability
  • Registry scanning ability

In addition, Access Protection now proactively excludes all McAfee/Intel Security-signed processes from being subject to access controls.

McAfee VirusScan Enterprise 8.8 does not support this capability.

Anti-Malware Engine Core

Key benefit: Improved scanning and detection performance

The McAfee Endpoint Security Framework incorporates an entirely redesigned Anti-Malware Engine Core.

The "McAfee AMCore" anti-malware scanning technology of the Threat Prevention module--provides enhanced capabilities to address the requirements of these large environments and counter emerging and advanced malware threats with speed and efficacy. McAfee AMCore intelligently scans only items that really need to be scanned, instead of scanning all items equally. It accomplishes this efficiently without requiring you to make any configuration changes in the product. This technology is proven in performance and is running on millions of consumer endpoints. McAfee AMCore has also been subjected to numerous efficacy and performance tests by third-party organizations, such as and As with the previous anti- malware engine, each release of McAfee AMCore content undergoes extensive quality and safety testing.

Zero-Impact Scanning

Key benefit: Increased performance and scanning that is invisible to user

What is it? Scanning, especially on-demand full scans, can be resource-intensive. Zero-impact scanning is an on-demand capability that runs only when a system is idle and when users are not on their computers.

How does it work? McAfee Endpoint Security 10.5 monitors the system for idle states by watching disk utilization, user idle state, and full-screen mode (presentation mode). Here are the ways that each of these looks for idle status:

  • Microsoft Windows Management Instrumentation (WMI) performs checks at regular intervals to monitor disk usage. If disk usage over that time is less or more than the threshold limit, a notification is sent, and McAfee Endpoint Security 10.5 performs a deeper evaluation to determine the idle state.
  • The "user idle" state is a derived value based on keyboard events, mouse movement, and full-screen mode.
  • Full-screen mode is detected if the current application is run in full-screen mode, such as Microsoft PowerPoint presentations and videos playing in full screen mode.


The Threat Prevention module starts scanning within three minutes of determining an idle state based on the above factors. A running scan will pause automatically when users start using their systems or disk utilization increases. Scans resume at the next detected idle state where they left off. A system reboot will not terminate the scan.

Exploit Prevention Technology

Key benefit: Increased protection with advanced next-generation security

The Threat Prevention module in McAfee Endpoint Security 10.5 provides includes enhanced Exploit Prevention detection. This capability builds and improves on the security protections provided in McAfee Host IPS 8.0, and VirusScan Enterprise 8.8, yet provides broader, more comprehensive memory and application call (API) protections, with Endpoint Security’s new integrated architecture. Based off of ongoing research by McAfee Lab's industry leading malware team, leverages updated content-driven protection for targeted application programming interfaces (API).

Endpoint Security Exploit Prevention protection brought over from Host IPS includes buffer overflow and Windows illegal API, class signature engines.  The Exploit Prevention signature content is updated monthly in alignment with Microsoft security update bulletins, and can secure Windows endpoint systems immediately, while allowing the deferment of vulnerability patching to scheduled maintenance windows if needed.

Endpoint Security Exploit Prevention signature content currently shares the same content package as Host IPS 8.0. Exploit Prevention signature content release notes for both products are posted here.

Exploit Prevention includes these enhanced security technologies:

Buffer overflow protection

One of the most notorious attack-vectors, the Buffer overflow relies on unsecured, or error-prone programming mistakes, relating to an application’s memory space allocation, and results in systems being vulnerable to zero-day exploits.  Exploit Prevention stops buffer overflows from executing arbitrary code in the first place, by monitoring user-mode API calls and recognizing when they are called as a result of a buffer overflow. Endpoint Security provides enhanced performance with both generic buffer overflow protection (GBOP) and targeted buffer protection (TBOP), when compared to Host IPS 8.0 protections.

ActiveX exploit monitoring

Endpoint Security’s ActiveX exploit monitoring builds off of the McAfee Host IPS 8.0 kill-bit security feature for ActiveX controls. This enhanced kill-bit security layer targets object class identifier’s (CLSID) for browser and application ActiveX controls identified as security vulnerability threats. Exploit Prevention content drives this functionality, and shares similar signature content and severity level mappings as provided in Host IPS 8.0.

Generic Privilege Escalation Prevention (GPEP)

GPEP provides security protection against privilege escalation exploits in kernel and user mode.

Supervisor Mode Execution Protection (SMEP)

Supervisor Mode Execution provides protection against kernel vulnerability exploits. SMEP guards against kernel memory corruption, privilege escalation, and shellcode execution to an arbitrary memory address.

Data Execution Prevention (DEP)

DEP is a Microsoft Windows operating system security feature designed to prevent damage from viruses and other security threats by monitoring programs to ensure that they use system memory safely. Because it is enforced by the operating system, this protection provides an increase in performance and API coverage.

Exploit Prevention will report if and when DEP is triggered.

Suspicious caller and Windows API monitoring                 

Suspicious caller protection detects code injected on processes running in memory. These exploits attempt to bypass traditional security protection mechanisms such as GBOP and DEP. Suspicious caller will also prevent return-oriented programming-based attacks.

Windows Illegal Use API monitoring builds off of McAfee Host IPS 8.0 security.  Exploit Prevention content drives this functionality, and shares similar signature content and severity level mappings as provided in Host IPS 8.0.


<VIDEO LINK - coming soon>

“Securing Endpoints with Endpoint Security Threat Prevention”

Version history
Revision #:
1 of 1
Last update:
‎12-14-2016 06:08 PM
Updated by: