cancel
Showing results for 
Search instead for 
Did you mean: 

Expert Rule user name match

Dear all,

I want to block an application for all users expect the administrators in our McAfee system. We can decide if a user is administrator by the user name, or AD group membership.

Our admin users are matching for one of the following syntax: "admin-*" or "localadmin-*"

AD side solutions are not useable for other reasons. I have made an expert rule with the following definition:

Rule {
         Process {
                        Include OBJECT_NAME { -v "*" }
                        Exclude USER_NAME { -v "admin-testuser" | -v "localadmin-testuser" }
                        }
         Target {
                     Match FILE {
                                         Include OBJECT_NAME { -v "executable.exe" }
                                         Include -access "EXECUTE READ"
                                         }
                      }
}

It works like a charm. If I change the corresponding line to Exclude USER_NAME { -v "admin-*" | -v "localadmin-*" }

Than it will block for everyone.

By this documentation: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page...

It seems, that I can't use matching at "process" part, but I can use it at Initiators part.

For initiators I can't find any documentation, or example, that may show me, how to solve the issue. Mcafee support can't help in this case. Can anyone please advise?

4 Replies
McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Expert Rule user name match

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27227/en_US/...

Check page number 40 in the above article. See if that can help you. If not then let us know. Can do further testing on this.

 

Re: Expert Rule user name match

Hi,

 

First of all, thank you for the answer.

I have read this whole document, and I did not find any resolution in it to my issue. At the mentioned page, I did not found any related information.

It tell me, that I should use Domain\username, but that one does not work for me. If I just type the username, it works.

It says, that I can use asterisk for all users. This one works as well. But it does not tell anything about user name matching as far as I understand.

What is your suggestion to change?

 

Thanks in advance.

Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: Expert Rule user name match

I'm really not sure I understand the issue,  but maybe this will help.  You need to escape the \ with \\.  So domain\\username. 

 

Dave

Re: Expert Rule user name match

Hi,

Sorry, if my goal was not clear. At the moment I have no issue, with the current rule. It works just fine. It blocks executable.exe for every user, except admin-testuser, and localadmin-testuser. So there is nothing to debug in the rule above.

My goal: Let everyone run the executable.exe who's username starts with "admin-" or "localadmin-" and block it for everyone who's username is not start with these. For example if a user with username "Bill","Bob", "Jane", .. wants to run it, the rule should prevent the execution. If "admin-Joe", or "Localadmin-Janet" tries to run it, the rule should allow it.

In powershell:

if (($env:username -like "admin-*") -or ($env:username -like "localadmin-*"))

{allow-execution executable.exe}

else

{block-execution executaqble.exe}

(sadly allow-execution, and block-execution is not a valid PS function)

I hope, it's more clear now.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community