cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 1 of 9

Getting Self protection blocked rule

Jump to solution

Hi,

I am getting the blocked message as shown in the screenshot and we have to add .dll path in exclusion but If I will add the path in the exclusion is it Ok or do I need to do some exclusion in access protection rule since in the event its showing "Access Protection rule violation detected and blocked"

 

AP-Rule.JPG

 

 

 

 

 

 

Cna someone give me feedback

2 Solutions

Accepted Solutions
Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: Getting Self protection blocked rule

Jump to solution

Hi @chealey

Thanks for the info. 

So  should we select allow to the certificate which belongs to this dll file since there is no way we can exclude dll Or is there any other way. 

We trust dll and we don't want that to be blocked

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Getting Self protection blocked rule

Jump to solution

Correct.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
8 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Getting Self protection blocked rule

Jump to solution

This is a self protection block - not an access protection block (see threat type).

Exclusions for self protection can be made via the ENS Common policy but they aren't recommended. You also only have the option to exclude processes from the self protection.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 3 of 9

Re: Getting Self protection blocked rule

Jump to solution

Hi @chealey ,

Thanks for the update..

So there is no sense in adding an on-access scan exclsion for the path C:\WINDOWS\system32\ctiuser.dll

I have added the ctiuser.dll under self protection in ENS common policy to not get this blocking event.Is it Ok or I need to do some other changes to not get this blocking event.

I am also getting an similar event with respect to that with different event ID 34865

 

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Getting Self protection blocked rule

Jump to solution

No need to add an on access exclusion. Even if it was an access protection violation - you would need to add an access protetion exclusion - not an on access scan exclusion - different features, so need different exclusions 🙂

Adding the dll to your Self Protection exclusions won't help you either. As metioned only processes can be excluded from the Self Protection.

The event 34865 is an indication of a dll injection. These are mostly seen during ENS installations as a tool called "SYSPREP" is launched and will check for any third parties trying to inject themselves into our processes. If you look at your ENS Common policy under signatures, you are likely to see some certificates which were found by this tool and at which point you can choose to trust (allow) them or not.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: Getting Self protection blocked rule

Jump to solution

Hi @chealey

Thanks for the info. 

So  should we select allow to the certificate which belongs to this dll file since there is no way we can exclude dll Or is there any other way. 

We trust dll and we don't want that to be blocked

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Getting Self protection blocked rule

Jump to solution

Correct.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: Getting Self protection blocked rule

Jump to solution

Hi @chealey ,

How ENS common policy get the certificates of different vendors since we dont add them.I guess its a automatic process.

Could you please expalin a bit on that.

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: Getting Self protection blocked rule

Jump to solution

Entries found in the ENS Common policy are injectors in the environment that Endpoint Security has identified. If no measures have been taken to trust that certificate or remove the third-party software from the environment, the application might cause issues for Endpoint Security, sporadically throughout the environment.

The events 1095 / 1092 come from the SYSPREP tool which is run during the installation process. It automatically updates the McAfee Trust store for third-party injectors that McAfee recognizes and that exist on the system. It sends Event ID 1095 for these injectors and writes them to the logs. It identifies any unknown injectors, and determines if they are signed or unsigned. It sends Event 1092 for these injectors and writes them to the logs. For more info on the sysprep tool see: https://kc.mcafee.com/agent/index?page=content&id=KB89860

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: Getting Self protection blocked rule

Jump to solution

Hi @chealey ,

I have allowed those certificates but when I run the report I still see systems having blocked event for threat event id-1092 and threat name-Core Protection - Protect core McAfee files and folders and the other event id-34865 with threat name-Self Protection - protect McAfee processes.

Any reason why we are still getting blocked events

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community