cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 11 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

 

so if an application is listed under the "Application Protection Rules" section it will be monitored for everything that is set up in the "Signatures" section within the EP-Rules right?

 

 

Application Protection Rules are not tied to all Exploit Prevention signatures directly.  App Protection Rules are used for Buffer Overflow and Illegal API signatures.

 

Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and illegal API use violations. Only processes in the Application Protection Rules list with the inclusion status of Include are monitored.

 

 

  • Signature 344 is a Registry engine signature and that signature still provides protection regardless of what is listed/not listed as an App Protection Rule. 
  • If you disable Signature 344, you should not see it trigger at all (regardless of the Application Protection Rules).  Verify that Signature 344 is actually set to FALSE for Block and/or Report by checking the C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\bopap.xml file.
		<Rule id="344">
			<Name>New Startup Program Creation</Name>
			<Origin>IDS_APSP_RULE_ORIGIN_MCAFEE</Origin>
			<Module>ABE1073E-C616-4DC1-AEE1-3B6485B67B86</Module>
			<Block>false</Block>
			<Report>false</Report>

 

If this shows Signature 344 as both FALSE and you're still getting Sig344 violations from this client, yes, please open a Service Request with Support for investigation.

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 12 of 12

Re: Explanation of Access Protection Rules and Signatures in Exploit Prevention

Jump to solution

@Daniel_S Further documentation to supplement what ktankink linked, and from which I pulled my information: Product Guide

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center