cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Reliable Contributor vnaidu
Reliable Contributor
Report Inappropriate Content
Message 1 of 2

Exploit Prevention Rule

Jump to solution

Dear All,

@chealey

I would like to implement the following rule to contain the services, can someone help me with the correct syntax, the below one was a template and it is not working as expected. Need your advise.

Rule {

   services {Include -e "SNMPTRAP"}

   time {Include "*"}

   application {Include "*"}

   user_name {Include "*"}

   directives "-d" "-c" "services:stop" "servicesSmiley Tongueause" "services:delete" "services:startup"

}

 

Looking forward your help.

Venu
1 Solution

Accepted Solutions
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exploit Prevention Rule

Jump to solution

You can create an ENS Access Protection rule for this using the SERVICES engine.  Be aware that the SERVICES engine limitations in the KB articles below.

KB78600 - Service Protection Monitoring with Endpoint Security and Host Intrusion Prevention
KB82450 - Endpoint Security 10.x Known Issues

1167969   10.5.0 As Designed Issue: Services protection has the following limitations (that also exist in Host Intrusion Prevention):
  • User and executable parameters are not distinguished; although they are available in the UI, they are not valid parameters.
  • Services protection is valid up to Windows 8.0; later releases are not supported.
  • The enable or disable hardware profile operation is not supported.
Resolution: This behavior is as designed.

 

 

Create an Access Protection rule and add a SUBRULE for the SERVICES engine (similar to the screenshot below).  Confirmed that this works on Windows 7.snmptrap_subrule.jpg

 

 

AccessProtection_Activity.log
1/30/2019 9:47:02 AM mfetp(4216.1992) <SYSTEM> TmpLogger.AP.Activity: NT AUTHORITY\SYSTEM ran SERVICES.EXE, which attempted to access snmptrap, violating the rule "Block SNMP Service activity", and was blocked. For information about how to respond to this event, see KB85494.

1 Reply
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exploit Prevention Rule

Jump to solution

You can create an ENS Access Protection rule for this using the SERVICES engine.  Be aware that the SERVICES engine limitations in the KB articles below.

KB78600 - Service Protection Monitoring with Endpoint Security and Host Intrusion Prevention
KB82450 - Endpoint Security 10.x Known Issues

1167969   10.5.0 As Designed Issue: Services protection has the following limitations (that also exist in Host Intrusion Prevention):
  • User and executable parameters are not distinguished; although they are available in the UI, they are not valid parameters.
  • Services protection is valid up to Windows 8.0; later releases are not supported.
  • The enable or disable hardware profile operation is not supported.
Resolution: This behavior is as designed.

 

 

Create an Access Protection rule and add a SUBRULE for the SERVICES engine (similar to the screenshot below).  Confirmed that this works on Windows 7.snmptrap_subrule.jpg

 

 

AccessProtection_Activity.log
1/30/2019 9:47:02 AM mfetp(4216.1992) <SYSTEM> TmpLogger.AP.Activity: NT AUTHORITY\SYSTEM ran SERVICES.EXE, which attempted to access snmptrap, violating the rule "Block SNMP Service activity", and was blocked. For information about how to respond to this event, see KB85494.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.