cancel
Showing results for 
Search instead for 
Did you mean: 

Need Suggestion for disabling access protection on Linux servers in McAfee ENS Threat Protection

Hello fellow community members,

We have observed multiple access protection threat events being raised which pretty much seems false positive. The Threat name appears to be "IDS_AP_RULE_PREVENT_CREATE_DELETE_RENAME_HARDLINK_STARTUPFILES_LINUX". Whats happening is a process namely ossec-syscheckd(in this particular case), or any other process   is trying to access a startup/configuration file, as a result one of the default rule about start-up file is being triggered and an incident is generated.

 Can we disable the it , How much is a risk in disabling those default  access protection rules  on Linux servers, if there is at all?

 

Thanks in advance

1 Reply
McAfee Employee yaz
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Need Suggestion for disabling access protection on Linux servers in McAfee ENS Threat Protecti

Thank you for contacting McAfee Community. 

As per my understanding, this looks like the default access protection rule for Linux is enabled and will be set to report. 

Refer to the Screenshot attached from my Test ePO. 

Rather than completely disabling the Access protection, you can add exclusions for the file if you believe they are genuine. Or you can disable to rule and test if needed. 

Kindly give Kudos if I answered your query. 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community