cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Using McAfee ENS to block the installation or running of FireFox browser.

Jump to solution
Would it be possible to allow McAfee software to only allow Mozilla Firefox to run from “C:\Program Files (x86)\Mozilla Firefox\firefox.exe” and block it from being run from "C:\Users\\AppData\Local\Mozilla Firefox\firefox.exe" or anywhere else? Would it be possible to block the installation of that software to that location? Is this a policy that can implemented in ENS or ATP? We are running ENS 10.7 with a TIE server and Active Response.
1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Using McAfee ENS to block the installation or running of FireFox browser.

Jump to solution

Hello @User59512346 

How this rule is defined, you are blocking firefox.exe process, listed under executable section, to create, execute, read, rename, write firefox.exe file listed in sub-rule.

Usually, that is not the case, especially with installation if Firefox doesn't exist on machine.

If you want to prevent firefox.exe to be created, executed, read, renamed, written in that location, you will leave sub-rule as is, however because it is highly unlikely that firefox.exe is the process doing that, you will remove firefox.exe as executable and leave it blank or replace it with *.

That AP rule should prevent any process of doing operations over firefox.exe in that location.

Please note:
What you are doing is highly dangerous, enabling block right away and without report at all.

Best practice is to configure rule to report only and than evaluate what that rule is actually blocking to make sure that the rule will not block some of essential system functions.

Once you are sure that the AP rule will not block anything other than what you wanted it to block then you can enable block on couple non-critical test machines first, before you enable it across the environment.

I hope this helps and please, please, please make sure to always perform report -> evaluate -> block, otherwise, AP rules are so powerful that they get you lot of trouble if not configured properly.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

6 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Using McAfee ENS to block the installation or running of FireFox browser.

Jump to solution

Hi @User59512346,

This should be possible using Access Protection Rules. It is very important to remember that Access protection can be used to control the Source process and hence I would recommend using the entire application path for blocking purpose with the target set to be wildcard (*) in sub-rules and it should do the trick for you! This should ensure to block firefox.exe when run from that specific path!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted

Re: Using McAfee ENS to block the installation or running of FireFox browser.

Jump to solution

So I created a rule in our Access Protection policy catalog.  I set the action to block and added the executable 'firefox.exe' and gave the file path as 'C:\Users\obfuscated\AppData\Mozilla Firefox\' and I also made a subrule named 'firefox.exe', subrule type was selected as Files and then Operations was set to Create, Execute, Read, Rename and Write.  Targets was set to 'C:\Users\*\AppData\Local\Mozilla Firefox\firefox.exe'  I've enforced the policy on my test machine and I'm still able to install Firefox and run it from the AppData folder.  Am I missing anything.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Using McAfee ENS to block the installation or running of FireFox browser.

Jump to solution

Hello @User59512346 

Will it be possible for you to provide screenshot of the rule you created?

 
 

 

 


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Highlighted

Re: Using McAfee ENS to block the installation or running of FireFox browser.

Jump to solution

Access Protection Rules pageAccess Protection Rules page

Exectuables Rule pageExectuables Rule page

Subrules pageSubrules page

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Using McAfee ENS to block the installation or running of FireFox browser.

Jump to solution

Hello @User59512346 

How this rule is defined, you are blocking firefox.exe process, listed under executable section, to create, execute, read, rename, write firefox.exe file listed in sub-rule.

Usually, that is not the case, especially with installation if Firefox doesn't exist on machine.

If you want to prevent firefox.exe to be created, executed, read, renamed, written in that location, you will leave sub-rule as is, however because it is highly unlikely that firefox.exe is the process doing that, you will remove firefox.exe as executable and leave it blank or replace it with *.

That AP rule should prevent any process of doing operations over firefox.exe in that location.

Please note:
What you are doing is highly dangerous, enabling block right away and without report at all.

Best practice is to configure rule to report only and than evaluate what that rule is actually blocking to make sure that the rule will not block some of essential system functions.

Once you are sure that the AP rule will not block anything other than what you wanted it to block then you can enable block on couple non-critical test machines first, before you enable it across the environment.

I hope this helps and please, please, please make sure to always perform report -> evaluate -> block, otherwise, AP rules are so powerful that they get you lot of trouble if not configured properly.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Using McAfee ENS to block the installation or running of FireFox browser.

Jump to solution

Hi @User59512346,

@Kenchee_etf has given an excellent explanation and suggestion for you. If you need further understanding on Access protection, here is something I wrote a while back that might help you!

https://community.mcafee.com/t5/Endpoint-Security-ENS/Query-related-to-user-define-access-protection...

I sincerely hope this resolves your query!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community