cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exploit Prevention Signatures

Hi: I was adding the PrintNightmare signature recently and noticed many of these signature not enabled for reporting or blocking. I was wondering how our organization was to know what should be enabled for blocking? I do subscribe to the weekly McAfee email list to keep up on ENS updates. But I want to ensure anything listed in the signatures is enabled to help protect our org whenever possible.
4 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Exploit Prevention Signatures

Hi @tmelville,

Thank you for your post. We may not be able to recommend tailored suggestions for your organization as we leave that to administration of each organization by providing them documentation on the capabilities of these rules and they are to be tested on each organization to validate if it generates false positives, how it can be fine tuned, etc. However, we have the below documentation that talks about some important signatures to be enabled and fine tuning of our product:

Best practices for tuning and using Endpoint Security to prevent and respond to threat incidents

I sincerely hope this helps!

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Re: Exploit Prevention Signatures

I would suggest these at a minimum.  

6187
6206
6196
6195 (for servers)
6194
6192
6191
6190
6168
6155
6154
6153
6152
6146
6145
6143
6124
6122
6121
6118
6117
6116
6115
6113
6112
6109
6108
6078
6066
6047


Do you have ATP deployed?  There are several JTI rules I might suggest as well..

Dave

 

ChrisQ
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: Exploit Prevention Signatures

@Daveb3d I'm interested in seeing your JTI rule suggestions.

Re: Exploit Prevention Signatures

Now I'll first qualify this by saying ATP needs to be set to clean at "Most LIkely Malicious" to really benefit from this. You might want to run some test systems in observe mode for tuning, and maybe point them to "Productivity" or "Security" if you don't use those policy sets, and tune them to match "Balanced" in your target configuration. 

Starting with the newest ones.

517 - If you have a TIE server, use it to trust, otherwise exclude false-positive processes with OAS exclusions. This one will stop CobaltStrike in most cases. 
516
515
514 - might be noisy though. Strongly recommend a TIE server.
511
504
349
346
324
318
317
314
309
301
260
255



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community