cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Need help with exclusion in Threat Prevention

Jump to solution

Hey all,

I have a dev team that creates and runs .SRC files and threat prevention On Access Scan is blocking those files. My test to recreate the issue is to rename a .txt file to .src which throws up an access denied error. In the logs I see: 

... ran C:\Windows\explorer.exe, which tried to access the file C:\TempVDI\test.src, violating the rule "Prevent CryptoLocker IV Encrypt Phases_4", and was blocked

In my exclusions for On Access Scan, I added File type = src, and I also tried File name or Path = **\*.src but neither one is letting it through.  My wish is to allow them to drop the .src files into a folder like C:\Devel\ and let it run there.

What is the proper exclusion syntax for something like this?

**Edit:  I tried using https://kc.mcafee.com/corporate/index?page=content&id=KB54812 and adding c:\Devel\*.src but still no success. I think its because we are renaming and not necessarily running?

 

 

2 Solutions

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 10

Re: Need help with exclusion in Threat Prevention

Jump to solution

It looks like you put it in the source location rather than the target.  Go back one screen.  Drop to the bottom and get the exclusion in there instead.

btw, can I suggest you put in the full path for your exclusions?  If somebody spoofs, for example, rundll32.exe, they will be able to bypass your control.

Dave

View solution in original post

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: Need help with exclusion in Threat Prevention

Jump to solution

You want the exclusion in the subrule.  

Dave

View solution in original post

9 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Need help with exclusion in Threat Prevention

Jump to solution

That doesn't like like OAS.  An Access Protection or Expert Rule.

Dave

Highlighted

Re: Need help with exclusion in Threat Prevention

Jump to solution

 I found Prevent CryptoLocker IV Encrypt Phases_4 under Access Protection policy. I edited it and added the following :

 

Name = Allow SRC for Dev

File name or path = C:\cdgtech\dev\*.src

Inclusion Status = Exclude

Notes = Added to allow SRC files to be run

 

Still seems to block. Do I need to update anywhere else?

Highlighted

Re: Need help with exclusion in Threat Prevention

Jump to solution

I also see a "subrule" that shows INCLUDE  **\*.src.  I tried adding a Exclude C:\CDGTECH\DEV\*.src but it did not go.

 

What is the first exclusion list vs subrule list?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 10

Re: Need help with exclusion in Threat Prevention

Jump to solution

Basically, it is process creating the file vs file being created.

Are you doing this in ePO?  Are you ensuring the policy is updating locally before testing?  From what I see in your latest post, I think it should work with that.

Highlighted

Re: Need help with exclusion in Threat Prevention

Jump to solution

Let me clear up what I have set right now, after talking with you.

Policy Catalog > Access Protection > {My Policy} >

  • Exclusions = ALLOW SRC files    C:\CDGTECH\DEV\*.src
  • Rules = Prevent CryptoLocker IV Encrypt Phases 4 > 
    • Executables - I removed my exclusion here, so its "default" to my knowledge
    • subrule - I removed my exclusion so its set to  INCLUDE  **\*.src

So the only exclusion I have set currently is on the main exclusion portion of AP policy.  I am also running Check for new policies, Enforce new policies, collect and send props.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: Need help with exclusion in Threat Prevention

Jump to solution

You want the exclusion in the subrule.  

Dave

View solution in original post

Highlighted

Re: Need help with exclusion in Threat Prevention

Jump to solution

Now it works! So I need it in both locations?  the Subrule and the AP exclusion list?  that is where I have it now and its working. 

 

you are the best! Thank you so much

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

Re: Need help with exclusion in Threat Prevention

Jump to solution

Just the subrule.

Glad it is working.

 

Dave

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 10

Re: Need help with exclusion in Threat Prevention

Jump to solution

It looks like you put it in the source location rather than the target.  Go back one screen.  Drop to the bottom and get the exclusion in there instead.

btw, can I suggest you put in the full path for your exclusions?  If somebody spoofs, for example, rundll32.exe, they will be able to bypass your control.

Dave

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community