cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Tuning Access Protection False Positives

Hi, Is it possible to tune out noise from endpoints generating tons of events that are flagged by the "Remotely Accessing local files or folders" rule? Tried excluding via path **\Folder\** etc with wildcard to exclude any files in "Folder" anywhere on the system but it's not having any impact, they are still reported and logged. Cheers
1 Reply
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Tuning Access Protection False Positives

@mattschm At this time, you cannot selectively filter events based on what is triggering them. The report mechanism is either On--Report All, or Off--Report Nothing. 

The closest you could get to doing this would be excluding the process that is triggering the rule, from the rule, which then would be allowing the action. So, if you choose to do this, then be sure that you are okay with the activity of the process being allowed.

With Access Protection, only processes can be excluded, not files/folders. So, if you are comfortable with the above, and do want to implement some exclusions, then you would need to configure your **\Folder\** exclusion to instead be formatted to specify any process, such as; **\Folder\*.exe. This is any process under named Folder under any directory. Please be advised, that the less specific you are, the wider the "security gap" becomes in regards to the rule.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.