cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Zebu
Level 9
Report Inappropriate Content
Message 1 of 4
‎11-07-2019 01:31 AM

Emotet Access Protection Rule

Jump to solution

Hello,

Recently a raised number of attacks reported at my company with downloaders, most often carrying the malware Emotet.

I found the article "How to protect against Emotet" and the rules have been created.

mcafee.com/corporate/index?page=content&id=KB90108

I just wonder if it is known practice why it is not a McAfee-defined Access Protection Rule?

Thank you!

Zebu

0 Kudos
Reply
1 Solution

Accepted Solutions
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎11-07-2019 03:19 AM

Re: Emotet Access Protection Rule

Jump to solution

Hi @Zebu,

Thank you for your post! Undeniably good suggestion from you. Although I would recommend raising this as a PER, I would like to point out one important point here with respect to ENS.

In KB90108, most of the rules seen are not custom made but are predefined rules. This applies to Exploit prevention rules mentioned and DAC rules mentioned. Different technologies/components are implemented to block different actions involved and hence you see the variations involved as well.

The Custom access protection rule(Rule 2) is very aggressive and targets specific variants of Emotet (launching powershell using winword.exe and cmd.exe). This however cannot be tied to emotet only!

The Rule 3 however, is too aggressive to be globally add to the list even in disabled state as it entirely blocked .exe file creation in c:\ Drive. Labeling them as specific to Emotet or any of it's variant would not really be precise (in my opinion).

Having said this, I would still suggest you to go through a PER as stated above as it would be really useful to get the Product Management's and other Enterprise user's take on this. It is very important that we have a way to update our understanding of our Customer's needs and hence we would really appreciate your input in the Enterprise Ideas forum.

*Note: Please use your Service portal login in order to access and post ideas in the ideas forum.

I sincerely hope this helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

Reply
3 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎11-07-2019 03:19 AM

Re: Emotet Access Protection Rule

Jump to solution

Hi @Zebu,

Thank you for your post! Undeniably good suggestion from you. Although I would recommend raising this as a PER, I would like to point out one important point here with respect to ENS.

In KB90108, most of the rules seen are not custom made but are predefined rules. This applies to Exploit prevention rules mentioned and DAC rules mentioned. Different technologies/components are implemented to block different actions involved and hence you see the variations involved as well.

The Custom access protection rule(Rule 2) is very aggressive and targets specific variants of Emotet (launching powershell using winword.exe and cmd.exe). This however cannot be tied to emotet only!

The Rule 3 however, is too aggressive to be globally add to the list even in disabled state as it entirely blocked .exe file creation in c:\ Drive. Labeling them as specific to Emotet or any of it's variant would not really be precise (in my opinion).

Having said this, I would still suggest you to go through a PER as stated above as it would be really useful to get the Product Management's and other Enterprise user's take on this. It is very important that we have a way to update our understanding of our Customer's needs and hence we would really appreciate your input in the Enterprise Ideas forum.

*Note: Please use your Service portal login in order to access and post ideas in the ideas forum.

I sincerely hope this helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Reply
Zebu
Level 9
Report Inappropriate Content
Message 3 of 4
‎11-07-2019 03:23 AM

Re: Emotet Access Protection Rule

Jump to solution

Thank you very for the quick answer!

Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4
‎11-07-2019 03:28 AM

Re: Emotet Access Protection Rule

Jump to solution

Hi @Zebu,

Very glad to be of assistance! Thanks you for marking the answer and kindly letting other Community members know what helped you. Kudos to you!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC