cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rohan1
Level 7
Report Inappropriate Content
Message 1 of 4

Exploit Prevention Expert Rule Help

Hello - I am trying to protect Avecto Product Service using Expat Rule - Exploit Protection - ENS Threat Protection Version 10.5.3 McAfee Agent 5.0.6. 

I am using the Ref Document - https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27227/en_US/...

And Trying to build rule - Ref. to one of the Given Example in the document - as below - 

Rule {
service { Include "Alerter" }
application { Include "*"}
user_name { Include "*" }
directives service:stop
}

- However when I tried to use this on the Client Machine - TmpLogger.BOBl.Activity: Failed to Set Property: Exclusions Error: 0x1

 

Need to understand -

1. As per the Product Docs. - "Services — Protects Windows Services (Windows versions 8.0 and earlier - only)"  - 

a. So Will it work for - Non Microsoft Products?

b. Will it work with - Windows 7 OS with ENS Threat Protection Version 10.5.3 McAfee Agent 5.0.6. 

c. Expert Rule can be used to Protect "Services" running in Workstation. 

Your reply will be helpful on this.. thank you!

3 Replies
ninov_n
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Exploit Prevention Expert Rule Help

Hello,

The documentation refers to Windows Services but in case that program runs a process associated with a service you can set a rule addressing that process since they will be dependant

Let me try to answer your questions:

a. It should work with any Windows compatible program/service but you need to follow TCL syntax:

https://www.tcl.tk/

b. Expert Rules are available from ENS 10.5.3 and newer versions so it should work with Win7

c. It should allow you to set an expert rule for any service on a workstation too

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
Rohan1
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Exploit Prevention Expert Rule Help

Thank you Nino for your reply. Let me try out & come back. I will keep you posted.
Rohan1
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Exploit Prevention Expert Rule Help

Thank you for your reply. I downloaded the TCL & now trying to figure it out - how to use & get the code. 

Anyways - that will take time - I have seen the McAfee documentation https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27227/en_US/... - Page - 5 - below details 

++++++++++++++Start of details provided by McAfee Document ++++++++++++++++++++++++++++

AAC-based Expert Rules
AAC is a McAfee proprietary technology that Threat Prevention uses to protect key resources. You can extend
this protection by creating rules to protect specLficfiles, processes, and registry items. AAC-based Expert Rules
use a new syntax used with the Tool Command Language (Tcl) interpreter version 7.6.

++++++++++++++END of details provided by McAfee Document ++++++++++++++++++++++++++++

So now this has created a concern that - look like McAfee has reserved the customization methods. 

What yo say? 

Basically My purpose is to have a Expert Rule - Which can allow me to protect any Service being stop/restart etc. I agree that using the Access Protection we can do the same, however to add additional protection layer - would like to have Expert Rule created for the same. For Folder & Registry Protection - Expert Rule was created with help of above link Document.  

Please suggest. 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community