cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 1 of 7

Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Hey guys and girls,

 

a quick question:

Can someone explain the function of the two parts in the Exploit-Preventions ENS Policy - Signatures and Application Protection Rules?

As far as I understand from the Guide in the Signatures we have rulesets that trigger for example if SOMETHING tries to stop a defined process or SOMETHING writes or tries to change a sopecific registry value.

On the other hand in the Application Protection Rulse we / McAfee define Prozesses that should be monitored by McAfee via DLL-Injection for a) Buffer Overflows and b) illegal API uses.

So there is no direct connection between these two parts right?

Now we have a customer that has some clients that are reporting an Exploit-Prevention event which triggers because of "New Startup Program Creation" which is a Signature taht is completely disabled (correct policy assignment etc. checked twice).However having a look at the Application Protection rules i find the process sidebar.exe which has a status of enabled and is included.

From my understanding this events shouldn´t show up at all.

Is there some mechanism overruling? Or do we have a bug here as the APRs should only report Bufferoverflows or illegal API usage and there might be a false referencing?

 

Best regards
Dan
1 Solution

Accepted Solutions
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

@Daniel_S @tao  AP and Exploit Prevention are separate of one another, though they could have rules that are synergistic or intend to protect against different aspects of similar behaviors. You do need to treat exclusions within them separately, and if you're seeing items triggering in either that you do not wish to see, then you will need to exclude them in the respective policy, or possibly in both if triggers are showing in both. 
To fully analyze what may be occurring, I would need to review the logs side by side. However, if you're seeing events but nothing is being blocked, then it's possible one of the rules or signatures is set to report only.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

6 Replies
Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Exploit Prevention includes:

Generic buffer overflow protection (GBOP)
Data execution prevention (DEP)
Kevlar
Suspicious caller

Page 5 -6
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-understanding-ep-security-10-module.p...

While Application Protection includes:

Buffer Overflow signatures
API signatures

https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orch...

Since AP is signature base and your alert is exploit ... possibly a overflow/data issue?

If this information was helpful or has answered your question, please select Accept as Solution. This will assist other memebers
Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 3 of 7

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Well the Exploit-Prevention is harvesting the AP rules.

So to me this is one block.

When I tell EP to ignore one specific signature -> why is it showing up here?

Best regards
Dan
Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

I hear ya ... found this in the posedt lnk above ...

"Exclude processes from Exploit Prevention

If a trusted program is blocked, create an exclusion to exclude it from Exploit Prevention. You can exclude the process by process name, caller module, API, or signature ID. You can also create Application Protection rules to include or exclude processes from protection."

So, it would seem that if EP & AP are both enabled ... that to exclude or include you would need to review both policies....seems strange

If this information was helpful or has answered your question, please select Accept as Solution. This will assist other memebers
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

@Daniel_S @tao  AP and Exploit Prevention are separate of one another, though they could have rules that are synergistic or intend to protect against different aspects of similar behaviors. You do need to treat exclusions within them separately, and if you're seeing items triggering in either that you do not wish to see, then you will need to exclude them in the respective policy, or possibly in both if triggers are showing in both. 
To fully analyze what may be occurring, I would need to review the logs side by side. However, if you're seeing events but nothing is being blocked, then it's possible one of the rules or signatures is set to report only.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Thanks for the reply.

Why is it then that both features are handled in one policy? This is somehow misleading in such cases.

I´m still waiting for the full logs from the customer for further analysis.

 

Best regards
Dan
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

@Daniel_S I'm not sure what you mean about them being handled in one policy, as this is not the case. Access Protection and Exploit Prevention are two different policies within ENS Threat Prevention as they're separate functions within that module. 

Capture2.PNG


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.