cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 11

Block rename exe in access protection rule in NES

Hi,

I wanted to create a rule where I want block action when someone try to rename anydesk.exe or execute it.I am able to block it from execution but not able to revent it from rename.Since if anyone able to rename it then it would not be blocked as its name will be changed so thats the reason I also wanted to prevent it from renaming it.

Can anyone suggest me if anyone does or how we can do that.I can see rename option but it seems its not working or I am doing some mistake.

 

Plz suggest

10 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 11

Re: Block rename exe in access protection rule in NES

Hi,

Can anyone please suggest how it can be done

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 11

Re: Block rename exe in access protection rule in NES

Are you open to using an Expert Rule in 10.5.3 or above?  If so,  go to the file properties and tell me what it says under description and I'll give you a rule for it. 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 11

Re: Block rename exe in access protection rule in NES

Hi,

Please let me know how we can restrict renaming of application in ENS 10.5.3..

Under description name of the file is AnyDesk.exe

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 11

Re: Block rename exe in access protection rule in NES

Use the checker in your local client to ensure formatting copies over correctly,  but this will do it. Basically,  it says block the execution of any file with the description of anydesk.exe unless it is named anydesk.exe

 

Rule {

Process {

Include OBJECT_NAME { -v "*" }

}

Target {

Match FILE {

Include DESCRIPTION { -v "Anydesk.exe" }

Exclude OBJECT_NAME { -v "anydesk.exe" }
Include -access "EXECUTE"

}

}

}

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 11

Re: Block rename exe in access protection rule in NES

Hi, Thanks for this.. Basically what I understand is I have to goto Endpoint Security Threat Prevention : Policy Category > Exploit Prevention and under signatures need to click on add expert rule.After clicking on add expert rule need to select files and copy paste the content shared by you under Rule content.I am asking this since I have never used expert rule before.Is it ok to use this ?Does this has any kind of negative impact? What I want to know is that after creating this do I need to remove access protection rule created for blocking of anydesk.exe file since we have created expert rule.Also is there any option of preventing rename of file under access protection rule or expert rule is the only way to achieve this
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 11

Re: Block rename exe in access protection rule in NES

This is actually a process rule, not a file rule.  However, it will allow "anydesk.exe" to execute.  If you don't want that to run at all you can remove the Exclude line.

If you are only worried about the file being renamed within your environment (you aren't concerned about a renamed version being introduced into your environment) you could use Access Protection Rules.  You could use a file rule and block execution and renaming by clicking the check boxes.  It all depends upon your goals.  

Ultimately, with this rule though, you could remove your Access Protection Rule.  Somebody could rename the file but it wouldn't be able to execute.  It is up to you.

Dave

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 11

Re: Block rename exe in access protection rule in NES

Hi Dave,

Really thanks for all the info shared.

My goal is to.prevent the execution of anydesk.exe and also prevent it from renaming.I created the access protection rule to prevent the execution successfully but not able to.prevent it from getting renamed.Can you help with this?

Also what is the difference between access protection rule and expert rule since we can prevent execution and renaming in both.

Please suggest

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 11

Re: Block rename exe in access protection rule in NES

If renaming blocking isn't working I'd suggest

1) open a ticket with support because it sounds like something is wrong.

2) Use the Expert Rule I provided but remove the Exclude line.  

Expert Rules are much more robust than Access Protection Rules.  You can address various different things with them that APRs just don't touch.  

 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 11

Re: Block rename exe in access protection rule in NES

 Hi Dane,

Thanks for the update.

If you could help me where and how to choose rename so that I can verify what I have done wrong,that will be better.

 

Also for expert rule when you say remove exclude line you mean removing Exclude OBJECT_NAME { -v "anydesk.exe" }

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community