cancel
Showing results for 
Search instead for 
Did you mean: 
Rohan1
Level 7
Report Inappropriate Content
Message 1 of 4

Exploit Prevention Expert Rule Help

Hello - I am trying to protect Avecto Product Service using Expat Rule - Exploit Protection - ENS Threat Protection Version 10.5.3 McAfee Agent 5.0.6. 

I am using the Ref Document - https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27227/en_US/...

And Trying to build rule - Ref. to one of the Given Example in the document - as below - 

Rule {
service { Include "Alerter" }
application { Include "*"}
user_name { Include "*" }
directives service:stop
}

- However when I tried to use this on the Client Machine - TmpLogger.BOBl.Activity: Failed to Set Property: Exclusions Error: 0x1

 

Need to understand -

1. As per the Product Docs. - "Services — Protects Windows Services (Windows versions 8.0 and earlier - only)"  - 

a. So Will it work for - Non Microsoft Products?

b. Will it work with - Windows 7 OS with ENS Threat Protection Version 10.5.3 McAfee Agent 5.0.6. 

c. Expert Rule can be used to Protect "Services" running in Workstation. 

Your reply will be helpful on this.. thank you!

3 Replies
Highlighted
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Exploit Prevention Expert Rule Help

Hello,

The documentation refers to Windows Services but in case that program runs a process associated with a service you can set a rule addressing that process since they will be dependant

Let me try to answer your questions:

a. It should work with any Windows compatible program/service but you need to follow TCL syntax:

https://www.tcl.tk/

b. Expert Rules are available from ENS 10.5.3 and newer versions so it should work with Win7

c. It should allow you to set an expert rule for any service on a workstation too

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
Rohan1
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Exploit Prevention Expert Rule Help

Thank you Nino for your reply. Let me try out & come back. I will keep you posted.
Rohan1
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Exploit Prevention Expert Rule Help

Thank you for your reply. I downloaded the TCL & now trying to figure it out - how to use & get the code. 

Anyways - that will take time - I have seen the McAfee documentation https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27227/en_US/... - Page - 5 - below details 

++++++++++++++Start of details provided by McAfee Document ++++++++++++++++++++++++++++

AAC-based Expert Rules
AAC is a McAfee proprietary technology that Threat Prevention uses to protect key resources. You can extend
this protection by creating rules to protect specLficfiles, processes, and registry items. AAC-based Expert Rules
use a new syntax used with the Tool Command Language (Tcl) interpreter version 7.6.

++++++++++++++END of details provided by McAfee Document ++++++++++++++++++++++++++++

So now this has created a concern that - look like McAfee has reserved the customization methods. 

What yo say? 

Basically My purpose is to have a Expert Rule - Which can allow me to protect any Service being stop/restart etc. I agree that using the Access Protection we can do the same, however to add additional protection layer - would like to have Expert Rule created for the same. For Folder & Registry Protection - Expert Rule was created with help of above link Document.  

Please suggest. 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community