cancel
Showing results for 
Search instead for 
Did you mean: 

Expert Rule user name match

Dear all,

I want to block an application for all users expect the administrators in our McAfee system. We can decide if a user is administrator by the user name, or AD group membership.

Our admin users are matching for one of the following syntax: "admin-*" or "localadmin-*"

AD side solutions are not useable for other reasons. I have made an expert rule with the following definition:

Rule {
         Process {
                        Include OBJECT_NAME { -v "*" }
                        Exclude USER_NAME { -v "admin-testuser" | -v "localadmin-testuser" }
                        }
         Target {
                     Match FILE {
                                         Include OBJECT_NAME { -v "executable.exe" }
                                         Include -access "EXECUTE READ"
                                         }
                      }
}

It works like a charm. If I change the corresponding line to Exclude USER_NAME { -v "admin-*" | -v "localadmin-*" }

Than it will block for everyone.

By this documentation: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

It seems, that I can't use matching at "process" part, but I can use it at Initiators part.

For initiators I can't find any documentation, or example, that may show me, how to solve the issue. Mcafee support can't help in this case. Can anyone please advise?

4 Replies
patrakshar McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Expert Rule user name match

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27227/en_US/...

Check page number 40 in the above article. See if that can help you. If not then let us know. Can do further testing on this.

 

Re: Expert Rule user name match

Hi,

 

First of all, thank you for the answer.

I have read this whole document, and I did not find any resolution in it to my issue. At the mentioned page, I did not found any related information.

It tell me, that I should use Domain\username, but that one does not work for me. If I just type the username, it works.

It says, that I can use asterisk for all users. This one works as well. But it does not tell anything about user name matching as far as I understand.

What is your suggestion to change?

 

Thanks in advance.

Daveb3d Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: Expert Rule user name match

I'm really not sure I understand the issue,  but maybe this will help.  You need to escape the \ with \\.  So domain\\username. 

 

Dave

Re: Expert Rule user name match

Hi,

Sorry, if my goal was not clear. At the moment I have no issue, with the current rule. It works just fine. It blocks executable.exe for every user, except admin-testuser, and localadmin-testuser. So there is nothing to debug in the rule above.

My goal: Let everyone run the executable.exe who's username starts with "admin-" or "localadmin-" and block it for everyone who's username is not start with these. For example if a user with username "Bill","Bob", "Jane", .. wants to run it, the rule should prevent the execution. If "admin-Joe", or "Localadmin-Janet" tries to run it, the rule should allow it.

In powershell:

if (($env:username -like "admin-*") -or ($env:username -like "localadmin-*"))

{allow-execution executable.exe}

else

{block-execution executaqble.exe}

(sadly allow-execution, and block-execution is not a valid PS function)

I hope, it's more clear now.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community