cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 1 of 12

Explanation of Application Protection Rules and Signatures in Exploit Prevention

Jump to solution

Hey guys and girls,

 

a quick question:

Can someone explain the function of the two parts in the Exploit-Preventions ENS Policy - Signatures and Application Protection Rules?

As far as I understand from the Guide in the Signatures we have rulesets that trigger for example if SOMETHING tries to stop a defined process or SOMETHING writes or tries to change a sopecific registry value.

On the other hand in the Application Protection Rulse we / McAfee define Prozesses that should be monitored by McAfee via DLL-Injection for a) Buffer Overflows and b) illegal API uses.

So there is no direct connection between these two parts right?

Now we have a customer that has some clients that are reporting an Exploit-Prevention event which triggers because of "New Startup Program Creation" which is a Signature taht is completely disabled (correct policy assignment etc. checked twice).However having a look at the Application Protection rules i find the process sidebar.exe which has a status of enabled and is included.

From my understanding this events shouldn´t show up at all.

Is there some mechanism overruling? Or do we have a bug here as the APRs should only report Bufferoverflows or illegal API usage and there might be a false referencing?

 

Best regards
Dan
2 Solutions

Accepted Solutions
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

@Daniel_S @tao  AP and Exploit Prevention are separate of one another, though they could have rules that are synergistic or intend to protect against different aspects of similar behaviors. You do need to treat exclusions within them separately, and if you're seeing items triggering in either that you do not wish to see, then you will need to exclude them in the respective policy, or possibly in both if triggers are showing in both. 
To fully analyze what may be occurring, I would need to review the logs side by side. However, if you're seeing events but nothing is being blocked, then it's possible one of the rules or signatures is set to report only.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 11 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

 

so if an application is listed under the "Application Protection Rules" section it will be monitored for everything that is set up in the "Signatures" section within the EP-Rules right?

 

 

Application Protection Rules are not tied to all Exploit Prevention signatures directly.  App Protection Rules are used for Buffer Overflow and Illegal API signatures.

 

Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and illegal API use violations. Only processes in the Application Protection Rules list with the inclusion status of Include are monitored.

 

 

  • Signature 344 is a Registry engine signature and that signature still provides protection regardless of what is listed/not listed as an App Protection Rule. 
  • If you disable Signature 344, you should not see it trigger at all (regardless of the Application Protection Rules).  Verify that Signature 344 is actually set to FALSE for Block and/or Report by checking the C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\bopap.xml file.
		<Rule id="344">
			<Name>New Startup Program Creation</Name>
			<Origin>IDS_APSP_RULE_ORIGIN_MCAFEE</Origin>
			<Module>ABE1073E-C616-4DC1-AEE1-3B6485B67B86</Module>
			<Block>false</Block>
			<Report>false</Report>

 

If this shows Signature 344 as both FALSE and you're still getting Sig344 violations from this client, yes, please open a Service Request with Support for investigation.

11 Replies
Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 2 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Exploit Prevention includes:

Generic buffer overflow protection (GBOP)
Data execution prevention (DEP)
Kevlar
Suspicious caller

Page 5 -6
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-understanding-ep-security-10-module.p...

While Application Protection includes:

Buffer Overflow signatures
API signatures

https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orch...

Since AP is signature base and your alert is exploit ... possibly a overflow/data issue?

If this information was helpful or has answered your question, please select Accept as Solution. This will assist other memebers
Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 3 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Well the Exploit-Prevention is harvesting the AP rules.

So to me this is one block.

When I tell EP to ignore one specific signature -> why is it showing up here?

Best regards
Dan
Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 4 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

I hear ya ... found this in the posedt lnk above ...

"Exclude processes from Exploit Prevention

If a trusted program is blocked, create an exclusion to exclude it from Exploit Prevention. You can exclude the process by process name, caller module, API, or signature ID. You can also create Application Protection rules to include or exclude processes from protection."

So, it would seem that if EP & AP are both enabled ... that to exclude or include you would need to review both policies....seems strange

If this information was helpful or has answered your question, please select Accept as Solution. This will assist other memebers
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

@Daniel_S @tao  AP and Exploit Prevention are separate of one another, though they could have rules that are synergistic or intend to protect against different aspects of similar behaviors. You do need to treat exclusions within them separately, and if you're seeing items triggering in either that you do not wish to see, then you will need to exclude them in the respective policy, or possibly in both if triggers are showing in both. 
To fully analyze what may be occurring, I would need to review the logs side by side. However, if you're seeing events but nothing is being blocked, then it's possible one of the rules or signatures is set to report only.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 6 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Thanks for the reply.

Why is it then that both features are handled in one policy? This is somehow misleading in such cases.

I´m still waiting for the full logs from the customer for further analysis.

 

Best regards
Dan
Highlighted
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 7 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

@Daniel_S I'm not sure what you mean about them being handled in one policy, as this is not the case. Access Protection and Exploit Prevention are two different policies within ENS Threat Prevention as they're separate functions within that module. 

Capture2.PNG


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 8 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Oh boy **bleep** i wrote it wrong. Sorry for the confusion to all of you.

What i meant was Appliaction Protection which is nested inside the Exploit-Prevention Policy.

I apologize.

Best regards
Dan
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 9 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

@Daniel_S No worries! Definitely makes more sense now though where the confusion is coming from as the executables page within Application Protection does look very simliar to what is in Access Protection. However, they are different in that Access Protection focuses on preventing Processes from taking certain actions which you can configure to a granular level via definitions and sub-rules.

Application Protection Rules is essentially a list that defines the executables that are monitored for Exploit Prevention signatures. If an executable isn't included in the list, it isn't monitored for BOP or Illegal API. It does use a format similar to AP for defining the .exe, but that is the limit of the features' similarities.

Does this better answer your intended question?

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 10 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

Okay,

so if an application is listed under the "Application Protection Rules" section it will be monitored for everything that is set up in the "Signatures" section within the EP-Rules right?

So coming back to my initial question:

If I disable ID 344 "New Startup Program Creation" in the Signatures, none of the Applications listed under APR should trigger that event right?

And this is where my problem lies. We get the events, even though 344 is disabled.

Threat Name:

New Startup Program Creation

Threat Type:

Exploit Prevention

Analyzer Rule ID:

344

Analyzer Rule Name:

New Startup Program Creation

 

It´s the sidebar.exe, which is a predefindes process by McAfee, which by default is enabled and included.

So we have a product error here?

Best regards
Dan
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator