cancel
Showing results for 
Search instead for 
Did you mean: 
bertels
Level 8
Report Inappropriate Content
Message 1 of 14

How to exclude specific user in ENS TP expert rule ?

Jump to solution

Hi,

I was trying to convert some rules from HIPS to ENS.
Migrating it to an Access Protection policy (with GUI), I am able to exclude som users by their ID.
Using the expert rules in exploit prevention, I did not find a way to configure this. 
(The documentation only state something about the SID, but that is really horrible 😉 )
Both rule's are using the AAC, so I expect it should be configurable.

Does anyone have experience with this ?

Example of what I want to accomplish, but is not working:

Rule {
 Process {
  Include OBJECT_NAME {
   -v ** 
  }
                 Exclude USER_Name {
   -v "Domain\MyReadableUserID"
   }
 }
 Target {
  Match FILE {
   Include OBJECT_NAME {
    -v cmd.exe
   } 
                         
   Include -access "EXECUTE"
  }
 }
}

1 Solution

Accepted Solutions
bertels
Level 8
Report Inappropriate Content
Message 3 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Good news, I got in touch with an engineer and received the following solution:

Include EXP_USER_NAME { -v "MyUserName" }

 

I tested it and it seems to work.
I am not going to need a PER after all.

13 Replies
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

My understanding is that this will need a PER.  I had some exchanges with engineering several months back on how to exclude based upon users and the output was that the old way isn't currently possible.

Dave

bertels
Level 8
Report Inappropriate Content
Message 3 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Good news, I got in touch with an engineer and received the following solution:

Include EXP_USER_NAME { -v "MyUserName" }

 

I tested it and it seems to work.
I am not going to need a PER after all.

Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 4 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Very cool!  

Do you know if this was a new add to 10.6?  

bertels
Level 8
Report Inappropriate Content
Message 5 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Hi,

I have no idea, but I realy hope that it will work because of 1 important reason.
I read the following in the ENS expert rule syntax:

McAfee Endpoint Security provides information in the EndpointSecurityPlatform_Errors.log file about rules that didn't successfully compile and so were not enforced. Because all Expert Rules are compiled into a single group, when an Expert Rule generates an error, no Expert Rules are enforced.

 

So if it does not compile/enforce into ENS 10.5.3, no rules will be active there.
If this is true, it will be really dificult to implement new features of expert rules in a corporate environment.
Important to check, if I had not upgraded all my testmachines to 10.6 ... 🙂

BG
Level 8
Report Inappropriate Content
Message 6 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

I implemented this in a rule last year and it worked.  Today it does not.  Test system is running 10.6.1 with November 2018 update.  Is it still working for you?

cn
Level 7
Report Inappropriate Content
Message 7 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Does EXP_USER_NAME still work?  I tried using it in an AAC Expert Process rule and it did not seem to work for me at all.  I tried it as the initiator and under the target, but whenever I use the account that should trigger it, nothing shows up.  I take it out and it works fine.  Did this get removed in 10.6 or am I simply not using it correctly?  The admin user is something like someadmin1, but when I launch any of the browser processes with the account and even never gets generated unless I remove EXP_USER_NAME from the rule.  Please help

Rule {
Process {
Include OBJECT_NAME { -v ** }
Include EXP_USER_NAME { -v "*admin*" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v iexplore.exe }
Include OBJECT_NAME { -v chrome.exe }
Include OBJECT_NAME { -v firefox.exe }
Include OBJECT_NAME { -v MicrosoftEdge.exe }
Include -access "CREATE"
}
}
}

 

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 8 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

@cn Try changing the variable syntax to just USER_NAME and see how it goes as examples I'm finding use that instead of EXP_USER_NAME. 

Here's an excerpt from a previous syntax guide (PD27574) which shows the variable as that and not having the EXP_ part

Rule {
service { Include "Alerter" }
application { Include "*"}
user_name { Include "*" }
directives service:stop
}

 

user_name { Include
“*” }
Indicates that this rule is valid for all users (or more precisely, the security context in
which a process runs).
To limit the rule to specLfic user contexts, list them using the form Local/user or
Domain/user.

 

Also, when in the expert rule creation screen, if you have "use Expert Rule template" checked, and select "Illegal API use" as the type, you can see in the example template that the variable is just user_name {Include"*"}

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Highlighted
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 9 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

@cn Here is the Expert Rule I used that worked for me.  Chrome.exe is allowed for DOMAIN\USER1, but blocked for DOMAIN\ADMINISTRATOR.

 Rule {
Process {
Include OBJECT_NAME { -v ** }
Include EXP_USER_NAME {-v {domain\administrator}
}
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v iexplore.exe }
Include OBJECT_NAME { -v chrome.exe }
Include OBJECT_NAME { -v firefox.exe }
Include OBJECT_NAME { -v MicrosoftEdge.exe }
Include -access "CREATE"
}
}
}

Basically just executed "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" from a CMD prompt opened by my each domain account (Administrator and USER1).

2/20/2019 5:57:59 PM mfeesp(2020.6192) <SYSTEM> ApBl.BOPAP.Activity: DOMAIN\Administrator ran CMD.EXE, which attempted to access CHROME.EXE, violating the rule "Process block browser by username", and was blocked. For information about how to respond to this event, see KB85494.

 

I used these variations successfully

Include EXP_USER_NAME {-v {.\user} worked to block a local user account (named "user").

Include EXP_USER_NAME {-v {localsystemname\user} worked to block the same local user where localsystemname is the local computername (e.g., SYSTEM1\User)

 

I am unable to get it to work with wildcards though.

Did not work

Include EXP_USER_NAME {-v {.\use*}

Include EXP_USER_NAME {-v {localsystemame\use*}

Include EXP_USER_NAME {-v {*\user}

Include EXP_USER_NAME {-v {**\user}

cn
Level 7
Report Inappropriate Content
Message 10 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Thanks for the response.  This was most helpful.  I was also able to get it to work on specific accounts.... However, I need to be able to wildcard it to pick up certain domain accounts that start with a bb which identifies it as an admin account.  These accounts are AD accounts that uses xccedium to elevate.  I am trying to figure out a way to create a process related alert to track when a user decides to open a browser using this type of admin account. 

 

I wanted to be able to do something like.

Rule {
Process {
Include OBJECT_NAME { -v ** }
Include EXP_USER_NAME { -v {domain\bb*}
}
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v iexplore.exe }
Include OBJECT_NAME { -v chrome.exe }
Include OBJECT_NAME { -v firefox.exe }
Include OBJECT_NAME { -v MicrosoftEdge.exe }
Include -access "CREATE"
}
}
}

Of course this does not seem to work, which limits my use of the rule.  Is there a better way to block admin privilege browser launches with another match type?

 

Thanks,

 

Chris

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community