cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor vnaidu
Reliable Contributor
Report Inappropriate Content
Message 1 of 2

Exploit Prevention Rule

Jump to solution

Dear All,

@chealey

I would like to implement the following rule to contain the services, can someone help me with the correct syntax, the below one was a template and it is not working as expected. Need your advise.

Rule {

   services {Include -e "SNMPTRAP"}

   time {Include "*"}

   application {Include "*"}

   user_name {Include "*"}

   directives "-d" "-c" "services:stop" "services:pause" "services:delete" "services:startup"

}

 

Looking forward your help.

Venu
1 Solution

Accepted Solutions
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exploit Prevention Rule

Jump to solution

You can create an ENS Access Protection rule for this using the SERVICES engine.  Be aware that the SERVICES engine limitations in the KB articles below.

KB78600 - Service Protection Monitoring with Endpoint Security and Host Intrusion Prevention
KB82450 - Endpoint Security 10.x Known Issues

1167969   10.5.0 As Designed Issue: Services protection has the following limitations (that also exist in Host Intrusion Prevention):
  • User and executable parameters are not distinguished; although they are available in the UI, they are not valid parameters.
  • Services protection is valid up to Windows 8.0; later releases are not supported.
  • The enable or disable hardware profile operation is not supported.
Resolution: This behavior is as designed.

 

 

Create an Access Protection rule and add a SUBRULE for the SERVICES engine (similar to the screenshot below).  Confirmed that this works on Windows 7.snmptrap_subrule.jpg

 

 

AccessProtection_Activity.log
1/30/2019 9:47:02 AM mfetp(4216.1992) <SYSTEM> TmpLogger.AP.Activity: NT AUTHORITY\SYSTEM ran SERVICES.EXE, which attempted to access snmptrap, violating the rule "Block SNMP Service activity", and was blocked. For information about how to respond to this event, see KB85494.

1 Reply
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exploit Prevention Rule

Jump to solution

You can create an ENS Access Protection rule for this using the SERVICES engine.  Be aware that the SERVICES engine limitations in the KB articles below.

KB78600 - Service Protection Monitoring with Endpoint Security and Host Intrusion Prevention
KB82450 - Endpoint Security 10.x Known Issues

1167969   10.5.0 As Designed Issue: Services protection has the following limitations (that also exist in Host Intrusion Prevention):
  • User and executable parameters are not distinguished; although they are available in the UI, they are not valid parameters.
  • Services protection is valid up to Windows 8.0; later releases are not supported.
  • The enable or disable hardware profile operation is not supported.
Resolution: This behavior is as designed.

 

 

Create an Access Protection rule and add a SUBRULE for the SERVICES engine (similar to the screenshot below).  Confirmed that this works on Windows 7.snmptrap_subrule.jpg

 

 

AccessProtection_Activity.log
1/30/2019 9:47:02 AM mfetp(4216.1992) <SYSTEM> TmpLogger.AP.Activity: NT AUTHORITY\SYSTEM ran SERVICES.EXE, which attempted to access snmptrap, violating the rule "Block SNMP Service activity", and was blocked. For information about how to respond to this event, see KB85494.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.