I need to create a rule to block certain cmd commands, but, I need to exception some users.
the rule below doesn't work, can you help me?
Rule {
Process {
Include OBJECT_NAME { -v net.exe }
Include PROCESS_CMD_LINE { -v "*group*" }
Include EXP_USER_NAME {
-v "NT AUTHORITY\SYSTEM"
-v "Domain\User'
}
}
Target {
Match SECTION { Include -access "EXECUTE" }
}
}
Solved! Go to Solution.
Rule {
Process {
Include OBJECT_NAME { -v "net.exe" }
Include PROCESS_CMD_LINE { -v "*group*" }
Exclude USER_NAME {
-v "NT AUTHORITY\\SYSTEM"
-v "Domain\\User'
}
}
Target {
Match SECTION { Include -access "EXECUTE" }
}
}
Rule {
Process {
Include OBJECT_NAME { -v "net.exe" }
Include PROCESS_CMD_LINE { -v "*group*" }
Exclude USER_NAME {
-v "NT AUTHORITY\\SYSTEM"
-v "Domain\\User'
}
}
Target {
Match SECTION { Include -access "EXECUTE" }
}
}
thanks, worked perfectly
Hello,
You can refer these documents and videos which you will help you in understanding the expert rule :
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27574/en_US/...
https://kc.mcafee.com/corporate/index?page=content&id=KB89677
Let me know if that helps you 🙂
Thanks
Vishnu
McAfee
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA