cancel
Showing results for 
Search instead for 
Did you mean: 

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution
Rule {
Process {
Include OBJECT_NAME { -v ** }
}
}
Target {
Match PROCESS {
Include OBJECT_NAME {
-v iexplore.exe
-v chrome.exe
-v firefox.exe
-v MicrosoftEdge.exe }
Include PROCESSOR_MODE { -v "0" }
Include -access "CREATE"
}
}
}

I didn't test this, but I think this should solve your problem.
From documentation:
PROCESSOR_MODE: Matches if the match is evaluated in the context of an I/O
operation originating from user-mode or kernel-mode.
This is most useful for excluding processes from matching a
rule if the process is executing in user-mode.
cn
Level 7
Report Inappropriate Content
Message 12 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

Thanks for the updated rule idea.  I tried it with the syntax you provided, but could not get it to work that way.  It would fail to compile.  I used an Include -processor_mode "kernel", and that seemed to compile, but would not fire on an admin account.  Even though when you use an admin account to launch iexplore.exe, it is still considered user mode and not kernel.  I switched it from "kernel" to "user" and it fired off on it as it was indeed in usermode. 

Perhaps there is another way.

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution
I have one more idea, but is a bit more complex.
First, see that the user-name is stored in the HKLM registry somewhere. ( Not in HKCU because it will be evaluated from Mcafee process that runs in system context, so HKCU will point to system user.)
Then you can use the TCL magic like this:
Rule {
set var_username [iReg value "HKLM\\regkey\\to\\user\\name" "userName"]
if { ![string match "domain\bb*" $var_username] } {
Process {
Include OBJECT_NAME { -v ** }
}
}
Target {
Match PROCESS {
Include OBJECT_NAME {
-v iexplore.exe
-v chrome.exe
-v firefox.exe
-v MicrosoftEdge.exe }
Include -access "CREATE"
}
}
}

Be aware that the evaluation of "![string match "domain\bb*" $var_username]" only happens on policy enforcement.
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 14 of 14

Re: How to exclude specific user in ENS TP expert rule ?

Jump to solution

This is the correct usage.  Here is some example Expert Rule (modified from the ENS Product Guide PD27227, page 32) that I had previously tested successfully.

 

Rule {
 Process {
 Include OBJECT_NAME { -v cmd.exe }
Exclude EXP_USER_NAME {
-v {domain\administrator}
}
 }
 Target {
 Match FILE {
 Include OBJECT_NAME {
 -v "c:\\temp\\*test.txt"
 }
 Include -access "CREATE"
 }
 }
}

 

 

For other usernames (with spaces for example), I tested using quotes vs brackets for usernames with spaces, and the brackets worked for me.

Didn't work:

 

         Include EXP_USER_NAME {             
                -v "NT AUTHORITY\SYSTEM"

 

 

Worked:

 

 Include EXP_USER_NAME {
           -v {NT AUTHORITY\SYSTEM}

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community