Community Help Hub

Miro · ‎09-22-2020

Hello, I want to exclude all McAfee executables in the Expert Rule. I try it by using Exclude OBJECT_NAME { -l "*" -sdn "CN=\"McAfee, Inc.\", OU=Engineering, O=\"McAfee, Inc.\", L=Santa Clara, ST=California, C=US" } but it does not work. The whole rule looks like: Rule { Process { Include OBJECT_NAME { -v "**" } Exclude OBJECT_NAME { -v "teams.exe" | "mfeesp.exe" | "SYSTEM" -v "[iEnv windir]\\System32\\WBEM\\WMIPRVSE.EXE" -v "[iEnv windir]\\System32\\CSRSS.EXE" -v "[iEnv windir]\\System32\\WERFAULT.EXE" -v "[iEnv windir]\\System32\\SERVICES.EXE" -v "[iEnv windir]\\explorer.exe" -v "[iEnv windir]\\System32\\SearchProtocolHost.exe" } Exclude OBJECT_NAME { -l "*" -sdn "CN=\"McAfee, Inc.\", OU=Engineering, O=\"McAfee, Inc.\", L=Santa Clara, ST=California, C=US" } } Target { Match FILE { Include OBJECT_NAME { -v "[iEnv SystemDrive]\\Users\\**\*.*" } Include OBJECT_SIZE { -v 0 } Include -access "CLOSE" Exclude OBJECT_NAME { -v "[iEnv SystemDrive]\\Users\\*\\AppData" -v "[iEnv SystemDrive]\\Users\\*\\AppData\\**" -v "[iEnv SystemDrive]\\Users\\*\\**\\*.tmp" } } } } Thank you for help. Miro

Daveb3d · ‎09-22-2020

Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }

View solution in original post

Daveb3d · ‎09-23-2020

This should give you what you want, doing both ways. I commented out the McAfee cert since you won't need it, but there you can add other certs. Hopefully you see what I mean about the cert order.

I didn't realize there was a code paste option. Much cleaner. 🙂

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }        
		Exclude AggregateMatch {
			Include VTP_PRIVILEGES -type BITMASK { -v 0x8 }
			}
		#Exclude AggregateMatch {
			#Include CERT_NAME {
			#	-v "C=US, ST=California, L=Santa Clara, O=\"McAfee, Inc.\", OU=Engineering, CN=\"McAfee, Inc.\""
			#}
		#}
		Exclude AggregateMatch { 
			Include OBJECT_NAME { 
				-v "teams.exe"
				-v "mfeesp.exe"  
				-v "SYSTEM"		
				-v "[iEnv windir]\\System32\\WBEM\\WMIPRVSE.EXE"
				-v "[iEnv windir]\\System32\\CSRSS.EXE"
				-v "[iEnv windir]\\System32\\WERFAULT.EXE"
				-v "[iEnv windir]\\System32\\SERVICES.EXE"
				-v "[iEnv windir]\\explorer.exe"
				-v "[iEnv windir]\\System32\\SearchProtocolHost.exe"
			}		
		}
	}
	Target {
		Match FILE {
			Include OBJECT_NAME { -v "[iEnv SystemDrive]\\Users\\**\*.*" }
            Include OBJECT_SIZE { -v 0 }
            Include -access "CLOSE"            
            Exclude OBJECT_NAME { 
				-v "[iEnv SystemDrive]\\Users\\*\\AppData"
				-v "[iEnv SystemDrive]\\Users\\*\\AppData\\**"
				-v "[iEnv SystemDrive]\\Users\\*\\**\\*.tmp" 
			}
		}
	}
}

View solution in original post

Daveb3d · ‎09-22-2020

Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }

Daveb3d · ‎09-22-2020

Also, for certs generally, they are backwards in these rules. Don't ask me why. But if you reversed the order it would probably work as well. Using VTP is easier though.

Miro · ‎09-23-2020

Thank you for the quick reply.

What do you think with reversed the order?

Put the certificate exclusion on the first position?

I prefer to use -sdn, because later, if necessary, I can add more exclusions for certificates (signer).

Thank you!

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }        
		Exclude OBJECT_NAME { 
			-l "*" -sdn "CN=\"McAfee, Inc.\", OU=Engineering, O=\"McAfee, Inc.\", L=Santa Clara, ST=California, C=US"
			-v "teams.exe" | "mfeesp.exe" | "SYSTEM"		
			-v "[iEnv windir]\\System32\\WBEM\\WMIPRVSE.EXE"
			-v "[iEnv windir]\\System32\\CSRSS.EXE"
			-v "[iEnv windir]\\System32\\WERFAULT.EXE"
			-v "[iEnv windir]\\System32\\SERVICES.EXE"
			-v "[iEnv windir]\\explorer.exe"
			-v "[iEnv windir]\\System32\\SearchProtocolHost.exe"
		}		
	}	
	Target {
		Match FILE {
			Include OBJECT_NAME { -v "[iEnv SystemDrive]\\Users\\**\*.*" }
            Include OBJECT_SIZE {  -v 0  }
            Include -access "CLOSE"            
            Exclude OBJECT_NAME { 
				-v "[iEnv SystemDrive]\\Users\\*\\AppData"
				-v "[iEnv SystemDrive]\\Users\\*\\AppData\\**"
				-v "[iEnv SystemDrive]\\Users\\*\\**\\*.tmp" 
			}
		}
	}
}

Daveb3d · ‎09-23-2020

This should give you what you want, doing both ways. I commented out the McAfee cert since you won't need it, but there you can add other certs. Hopefully you see what I mean about the cert order.

I didn't realize there was a code paste option. Much cleaner. 🙂

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }        
		Exclude AggregateMatch {
			Include VTP_PRIVILEGES -type BITMASK { -v 0x8 }
			}
		#Exclude AggregateMatch {
			#Include CERT_NAME {
			#	-v "C=US, ST=California, L=Santa Clara, O=\"McAfee, Inc.\", OU=Engineering, CN=\"McAfee, Inc.\""
			#}
		#}
		Exclude AggregateMatch { 
			Include OBJECT_NAME { 
				-v "teams.exe"
				-v "mfeesp.exe"  
				-v "SYSTEM"		
				-v "[iEnv windir]\\System32\\WBEM\\WMIPRVSE.EXE"
				-v "[iEnv windir]\\System32\\CSRSS.EXE"
				-v "[iEnv windir]\\System32\\WERFAULT.EXE"
				-v "[iEnv windir]\\System32\\SERVICES.EXE"
				-v "[iEnv windir]\\explorer.exe"
				-v "[iEnv windir]\\System32\\SearchProtocolHost.exe"
			}		
		}
	}
	Target {
		Match FILE {
			Include OBJECT_NAME { -v "[iEnv SystemDrive]\\Users\\**\*.*" }
            Include OBJECT_SIZE { -v 0 }
            Include -access "CLOSE"            
            Exclude OBJECT_NAME { 
				-v "[iEnv SystemDrive]\\Users\\*\\AppData"
				-v "[iEnv SystemDrive]\\Users\\*\\AppData\\**"
				-v "[iEnv SystemDrive]\\Users\\*\\**\\*.tmp" 
			}
		}
	}
}

How to exclude all McAfee executables in the Expert Rule

Re: How to exclude all McAfee executables in the Expert Rule

Re: How to exclude all McAfee executables in the Expert Rule

Re: How to exclude all McAfee executables in the Expert Rule

Re: How to exclude all McAfee executables in the Expert Rule

Re: How to exclude all McAfee executables in the Expert Rule

Re: How to exclude all McAfee executables in the Expert Rule

Community Help Hub

Join the Community