Endpoint Security Common - Options Self Protection
I am getting started on ENS migration. I have run into some issues with self protections and need to do an exclusion.
In VSE 8.8 self protection was part of Access Protection, but it seems to be split out of Access Protection in ENS and moved to its own configuration in the Endpoint Security Common "Options" policy.
There are several deficiencies as far as I can tell and I want to make sure these are true - and not just me not knowing how they work.
In VSE, I could specify a full path to the process I wanted to exclude. This offered some protection to the exclusion since I could exclude certain Microsoft processes based on locations in protected OS locations.
In ENS it appears that I can only specify a process name - and cannot limit to a process running from a certain path. True?
In ENS Self Protection events - the process MD5 Hash is listed along with the path and signer information, but there appears to be no way for me to leverage this information when wanting to un-block the process from self protection -- so the only option is to un-block a particular process name rather than the MD5 hash or even to include the path to the executable - as I could do in VSE. Is that correct?
Analyzer Content Creation Date:
7/1/15 5:01:00 AM CDT
Analyzer Content Version:
Analyzer Rule Name:
Web Control - Protect plugin registry keys and values
Source Process Hash:
Source Process Signed:
Source Process Signer:
C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS
Re: Endpoint Security Common - Options Self Protection
Do you see this every all the time? or just once ? At the time of initial deployment disable the "Endpoint Security Common - Options Self Protection" until you complete roll out the ENS to all the clients and servers.
Once you have finished the deployment, ENS would have created the Mcafee Trusted validations. Then enable the "Endpoint Security Common - Options Self Protection ".
In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!