cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Need to block anydesk & ammyy admin to run

Need to block anydesk & ammyy admin to run.
9 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Need to block anydesk & ammyy admin to run

Use ENS Access protection rules

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 10

Re: Need to block anydesk & ammyy admin to run

@User97508379 For more information about how to create a custom Access Protection rule, please see KB86577 and this excerpt from the Product Guide.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: Need to block anydesk & ammyy admin to run

ENS Access protection rule will work as long as the file name you put on the rule matches the one user is trying to exectue. Lets say you add ammyadmin.exe and anydesk.exe on the AP rule. 

ENS won't stop if a clever user renames the ammyadmin.exe/anydesk.exe to notepad.exe and run it from different path.  

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 10

Re: Need to block anydesk & ammyy admin to run

try to block by MD5 hash.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: Need to block anydesk & ammyy admin to run

Ammyy admin should be detected by OAS itself if the PUP detection is enabled. 

oasbl.OAS.Activity: ***** ran C:\Windows\explorer.exe, which attempted to access C:\Users\*****\Downloads\AA_v3 (1).exe. The Remote Admin Tool named RemAdm-Ammyy was detected and deleted.

You can put a block by Hash information. However with new version if the has is changed then it will not be blocked by TP. 

 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: Need to block anydesk & ammyy admin to run

If you write click on the file and go to properties, then go to details, and send me what it says for both as "description" I can give you an easy Expert Rule to block it no matter the hash and no matter if it is renamed.

 

Dave

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 10

Re: Need to block anydesk & ammyy admin to run

Hi @Daveb3d, Just curious to see the expert rule.

See the screenshots for the anydesk.exe & ammyadmin.exe details. Thanks in advance

AMMY.jpg

 

 

 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

Re: Need to block anydesk & ammyy admin to run

Rule {

Process {

Include OBJECT_NAME { -v "*" }

}

Target {

Match PROCESS {

Include DESCRIPTION {

-v "Anydesk"

-v "Ammyy admin"

}

}}}

I typed this on my phone so if it doesn't work let me know.   It would be a formatting issue I'll fix tomorrow.  But this should block any version and any hash as long as the developer keeps the same description. 

Dave

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 10

Re: Need to block anydesk & ammyy admin to run

Thanks @Daveb3d, It worked :).

 

Rule {
 Process {
  Include OBJECT_NAME {           
   -v *
  }
 }
 Target {
  Match FILE {
   Include DESCRIPTION {
    -v "AnyDesk"
                -v "Ammyy Admin"
   }
    }             
 }
}

Ammyadmin.jpg

 


Policy name : Endpoint Security Threat Prevention : Policy Category > Exploit Prevention > My Default

 

Cheers

Balaji VP

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community