cancel
Showing results for 
Search instead for 
Did you mean: 

Query related to user define access protection rules

Jump to solution
Hello I have few questions related to user defined access protection rules. How the executable and sub-rules part of these rules are related.Thus adding hashes in executable block hashes for all files if not define in sub-rule or its vice versa. I have read the documentation but this relation is not clear as there is no direct example. All previous examples are related to VSE rule not ens10 rules Thank You
1 Solution

Accepted Solutions
Highlighted
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Query related to user define access protection rules

Jump to solution

Hi @User26890202 

First of all excellent question and thanks for your response here. I wish I could answer this over a phone call. So This is how Access protection works:

Access protection is placing control on "Processes". The very fundamental of Access protection that should make us understand the other concepts very easily. Based on your detailed response, my understanding is that you wish to blacklist hashes. We need to determine what file types these hashes belong to. Are you trying to block executions of a program? If yes, then these hashes must be the hash of the executables of those applications right?

For example, if my goal is to block access of Notepad application, we would first find out the process name which in this case is notepad.exe.

Now in order to block notepad.exe from being opened as an application, you can use either it's name or hash and add it to "Executables" under the new rule you create for Access protection.

Essentially, by doing so, we are initiating a control on this "application/process". Let us consider that You do not want this process to be run/executed at all no matter which location it is being initiated from. In this case, you would select the relevant operations under the subrule add option and the type shall remain "Files" and you can add the target as a File path and use wildcard (*) here.

Now let's review this rule. We are controlling the process notepad.exe in blocking (action -  block) all the activities selected (create, delete,etc.)that it can perform on the entire system system (target file path *).

Now this can be done the other way as well. If these files that you are trying to block users from accessing belong to a file or script, depending on the file type, you can have the process name changed and target would be the identified hash. To understand this, Let us take the below example:

Goal: To block a pdf file from being accessed/modified by anyone using any application.

In this scenario, under the new Rule, we first determine the process we need to control. This can either be adobe reader's process (so that we can control viewing,opening or even creation of that file using adobe reader) or you can use explorer.exe to prevent deletion/pasting(would be creation of file at that location) of the file using File explorer or even use wildcard (*) where you ensure no process can touch that file. The action remains "Block". Under Subrule, you can define the actions you want to be blocked and the Target is where you would add the file name.

Please note, you cannot action on a file based on it's hashes. you will have to use it's name. It is always for the executable (process) for which you can provide hashes for controlling it.

Hope this gives you a clear picture of how you can define your rule now. All the best!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
5 Replies
McAfee Employee DG1
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Query related to user define access protection rules

Jump to solution

Hi @User26890202 ,

Thank you for posting this query! The link below is to a youtube video that will explain the access protection rules.

https://www.youtube.com/watch?v=IjJkHSvQLzQ

 

 

Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a solution" if this reply resolves your query!
Thanks and regards,
Deepak G
McAfee Technical Support

Re: Query related to user define access protection rules

Jump to solution

Thank you for the video @DG1 . I understand this part and have created some rules but in reverse order.

Say from above example i added chrome file in the executable and then in sub-rule i just added "*" as file name. Is this the wrong way of defining these rules.

 

I am creating a rule to blacklist hashes so I added all those hashes as executable and in subrule added "*". As per my understanding this rule will block all hashes in the list for any file. But After reading some articles and watching this video it seems like my approach is wrong.

 

My confusion is with the how executable and sub-rule part is related to each other.

 

Thanks

 

 

 

 

Highlighted
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Query related to user define access protection rules

Jump to solution

Hi @User26890202 

First of all excellent question and thanks for your response here. I wish I could answer this over a phone call. So This is how Access protection works:

Access protection is placing control on "Processes". The very fundamental of Access protection that should make us understand the other concepts very easily. Based on your detailed response, my understanding is that you wish to blacklist hashes. We need to determine what file types these hashes belong to. Are you trying to block executions of a program? If yes, then these hashes must be the hash of the executables of those applications right?

For example, if my goal is to block access of Notepad application, we would first find out the process name which in this case is notepad.exe.

Now in order to block notepad.exe from being opened as an application, you can use either it's name or hash and add it to "Executables" under the new rule you create for Access protection.

Essentially, by doing so, we are initiating a control on this "application/process". Let us consider that You do not want this process to be run/executed at all no matter which location it is being initiated from. In this case, you would select the relevant operations under the subrule add option and the type shall remain "Files" and you can add the target as a File path and use wildcard (*) here.

Now let's review this rule. We are controlling the process notepad.exe in blocking (action -  block) all the activities selected (create, delete,etc.)that it can perform on the entire system system (target file path *).

Now this can be done the other way as well. If these files that you are trying to block users from accessing belong to a file or script, depending on the file type, you can have the process name changed and target would be the identified hash. To understand this, Let us take the below example:

Goal: To block a pdf file from being accessed/modified by anyone using any application.

In this scenario, under the new Rule, we first determine the process we need to control. This can either be adobe reader's process (so that we can control viewing,opening or even creation of that file using adobe reader) or you can use explorer.exe to prevent deletion/pasting(would be creation of file at that location) of the file using File explorer or even use wildcard (*) where you ensure no process can touch that file. The action remains "Block". Under Subrule, you can define the actions you want to be blocked and the Target is where you would add the file name.

Please note, you cannot action on a file based on it's hashes. you will have to use it's name. It is always for the executable (process) for which you can provide hashes for controlling it.

Hope this gives you a clear picture of how you can define your rule now. All the best!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Re: Query related to user define access protection rules

Jump to solution

Hello  AdithyanT

Thank you for the response. The reply was clear enough to help me understand access protection rules. As its follows AND operation between Sub-rules and Executable  thus it work either way. From your explanation it is pretty clear that we cannot create access protection rule based on file hashes. But all the malicious hashes list we get is mostly File based rather than process base. Is there any other way in ENS 10 to create blacklist rule for file hashes?

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Query related to user define access protection rules

Jump to solution

Hi @User26890202 

Thank you for your response. I am afraid that is not an available option right now. I would presume that this is conscious decision taken by Engineering to save time consumed by Access protection rule processing (validating one process hash against sub-rules vs validating a against every Files hash!).

My guess is as good as yours since this is something only Engineering can decide upon. I would like to request you to submit a PER - Product Enhancement Request via our Idea submission portal which might be helpful for our Engineering team to re-evaluate the possibilities.

Now, having said that, if these are actual malicious hashes and if you would like to validate if McAfee has coverage for them, Please submit it via a Service request and we will be happy to assist you with the same.

In case we do not find the samples for the given hashes, you may have to help us with the same. I sincerely hope this response also helps you!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community