cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 1 of 14

Exclusions for Access protection's "Block scripts ran from common user folders"

We have "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders" rule enabled to BLOCK in our domain and works great. Maybe too great. There seems to be one script that runs from the temp folders that is part of GDRIVE desktop app and when blocks, its throwing one of those ominous critical windows errors pop ups to the user.

Capture.JPG

Would there be a way to avoid this without disabling the block altogether? It looks to me that the exclusions screen is for executables rather than destination file executed... so not sure what options do i have here. We are n ENS 10.5.2

Thanks.

13 Replies
pgajdek
Level 9
Report Inappropriate Content
Message 2 of 14

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

the invisible.vbs is upgrade script.. so only will run when google drive is updating or checking for new version.. we had same issue and just ignored it since not allot of people is using google.drive..

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 3 of 14

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

Right, we are aware of those facts but we can't really ignore since we use G-suite in our corporation. Gdrive is one of the products....

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

Did you ever figure out how to exclude this without disabling the block for running executables from a TEMP folder (common folders)?

 

Highlighted
Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 5 of 14

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

I am afraid not @rjbassett, I have not. The closest thing i found is what @frank_enser said on a different topic but it's not what i was after so didnt try it:

 

Re: Access Protection

Hi,

 this rule is McAfee defined and you cannot exclude target paths/files. But you can recreate this rule: just create a new rule, add the cscript, wscript, ... executables under "Ausführbare Dateien" and add the TEMP folders under "Untergeordnete Regeln"/"Ziele" but add a "Ziel" with **\Windows\Temp\*.vbs and "Einschlussstatus" is "Ausschließen".

 Regards,

Frank

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 6 of 14

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

I would also love to know what "Common user folders" include other than the obvious TEMP folder.

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

I believe 'Common Users folders' is limited to the user's profile folders:  Desktop, Documents, etc. 

PawelEm
Level 8
Report Inappropriate Content
Message 8 of 14

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

I know it's an old post but I have a similar problem witch this rule 

 

I duplicated the existing policy to make a test one disabled the original rule and make a new one named 
"Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement"

In Executables
wscript.exe and cscript.exe with inclusion status "include"

In subrules i've added only temp foldes for this test

Subrule type: Files
Operations: Execute

Include
File, folder name, or file path
**\Temp\**
Exclude
File, folder name, or file path
**\TEMP\*LDTMP*\**

Saved it, assigned to a test subgroup in system tree, moved a test pc into this group and enforced the new policy but it still trigers 

HEADQUARTER\testuser ran WSCRIPT.EXE, which tried to access C:\USERS\testuser\APPDATA\LOCAL\TEMP\$LDTMP$\, violating the rule "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders replacement", and was blocked. For information on how to respond to this event, see KB85494.

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 9 of 14

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

Would be nice if McAfee team chipped in on this matter.

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 10 of 14

Re: Exclusions for Access protection's "Block scripts ran from common user folders"

@PawelEm Access Protection is a process/executable monitoring/blocking feature. As such, you can only exclude processes/executables from an AP rule, not file paths or non-executable files. 

What gets excluded from rules are executable files/processes that are acting against the end file/what is being protected by a particular rule---which is what is blocked. For your rule, in the way it is configured, the only thing you can exclude is wscript.exe or cscript.exe---which obviously negates the purpose of the rule.

Side note: Exclusions can contain wildcards when applicable/needed, but must end in a defined executable-type extension. i.e. **\Temp\**\*.exe. An undefined file path-type exclusion will not be honored on any rule.

For the rule in question, to achieve what you desire, the rule needs to be completely reconfigured. This would require either duplicating the rule (which currently, unfortunately, isn't possible--and I would recommend submitting a PER to allow for this to be done) or disabling the rule and creating a new user-defined one from scratch which allows for modification of sub-rules.

Since achieving replication is difficult at best, I've done so for you based on what it seems you're attempting to achieve and have attached it. You can import this .xml and then copy the config you see there. It is easier for me to give it to you in this form than map out in text what would need to go where.

I've made two versions, one that includes just the closest recreation possible via a user-defined rule of the "Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders" rule. This will allow modification of the sub-rule to allow paths to be excluded from the core of the rule. It is named "2.0: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders". This can be imported and used for reference by anyone, if desired.

The second, is one specifically for PawelEM that has both the recreation of the original + your desired exclusion, AND replication of what I assume your attempted replication was based on your previous post. 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community