cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How to exclude specific user in ENS TP expert rule ?

Jump to solution

Hi,

I was trying to convert some rules from HIPS to ENS.
Migrating it to an Access Protection policy (with GUI), I am able to exclude som users by their ID.
Using the expert rules in exploit prevention, I did not find a way to configure this. 
(The documentation only state something about the SID, but that is really horrible Smiley Wink )
Both rule's are using the AAC, so I expect it should be configurable.

Does anyone have experience with this ?

Example of what I want to accomplish, but is not working:

Rule {
 Process {
  Include OBJECT_NAME {
   -v ** 
  }
                 Exclude USER_Name {
   -v "Domain\MyReadableUserID"
   }
 }
 Target {
  Match FILE {
   Include OBJECT_NAME {
    -v cmd.exe
   } 
                         
   Include -access "EXECUTE"
  }
 }
}

1 Solution

Accepted Solutions

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Good news, I got in touch with an engineer and received the following solution:

Include EXP_USER_NAME { -v "MyUserName" }

 

I tested it and it seems to work.
I am not going to need a PER after all.

4 Replies
Daveb3d
Level 10
Report Inappropriate Content
Message 2 of 5

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

My understanding is that this will need a PER.  I had some exchanges with engineering several months back on how to exclude based upon users and the output was that the old way isn't currently possible.

Dave

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Good news, I got in touch with an engineer and received the following solution:

Include EXP_USER_NAME { -v "MyUserName" }

 

I tested it and it seems to work.
I am not going to need a PER after all.

Daveb3d
Level 10
Report Inappropriate Content
Message 4 of 5

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Very cool!  

Do you know if this was a new add to 10.6?  

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Hi,

I have no idea, but I realy hope that it will work because of 1 important reason.
I read the following in the ENS expert rule syntax:

McAfee Endpoint Security provides information in the EndpointSecurityPlatform_Errors.log file about rules that didn't successfully compile and so were not enforced. Because all Expert Rules are compiled into a single group, when an Expert Rule generates an error, no Expert Rules are enforced.

 

So if it does not compile/enforce into ENS 10.5.3, no rules will be active there.
If this is true, it will be really dificult to implement new features of expert rules in a corporate environment.
Important to check, if I had not upgraded all my testmachines to 10.6 ... Smiley Happy