cancel
Showing results for 
Search instead for 
Did you mean: 
needa
Level 8
Report Inappropriate Content
Message 1 of 2

Access Protection does not block http

Jump to solution

I have a clean w7 32bit system with VSE 8.8 installed. I have enabled the access protection HTTP/FTP blocking option. Both the block and reporting boxes are checked. The system has the policy and verified by viewing the AP properties on the endpoint. Other options, such as custom file R/W blocking is working in the same policy. I have rebooted the system and still no http blocking.

Why does HTTP blocking not work? How does it block, simple port 80/443/22 blocking, or something better?

VSE 8.8 5600.1067

AP DAT 659

Patch 4

ePO 5.1 509

1 Solution

Accepted Solutions
needa
Level 8
Report Inappropriate Content
Message 2 of 2

Re: Access Protection does not block http

Jump to solution

From a Ben Andrew white paper.... Basically this blocking was meant for process outside of browser that are using port 80 to download or upload content.

“Prevent HTTP communication”

Many spyware, adware, and Trojan programs use port 80 for software downloads, bundled components,

or updates. This rule will prevent any service (using svchost.exe) from communicating over port 80. This

would stop common spyware and adware delivery mechanisms. Some server software uses port 80,

although this isn’t common in desktops.

This rule will block all HTTP communication for processes not in the exclusions list. Like FTP traffic, HTTP

traffic is used by many applications to retrieve or transmit data. Spyware, adware, and Trojans also

commonly use HTTP communication for software downloads of third-party components or updates.

There are also many legitimate reasons for processes to communicate via HTTP. Many applications use

a registration or self-update procedure that communicates over HTTP. Without the process being listed

in the exclusions list, the traffic would be blocked; therefore, McAfee strongly recommends a thorough

test and review cycle before enabling this rule.

Intention: Many Trojans download scripts or other Trojans from websites controlled by the Trojan’s

author. For example, http://vil.nai.com/vil/content/v_100487.htm. By blocking this communication,

even if a system becomes infected with a new unknown Trojan it will be unable to download further

malicious code.

Risks: HTTP is a very widely used protocol. While we have included popular web browsers in the

exclusion list, there may be many programs you may need to add based on your particular environment.

ID and name in Host IPS:

There is no corresponding signature in Host IPS.

1 Reply
needa
Level 8
Report Inappropriate Content
Message 2 of 2

Re: Access Protection does not block http

Jump to solution

From a Ben Andrew white paper.... Basically this blocking was meant for process outside of browser that are using port 80 to download or upload content.

“Prevent HTTP communication”

Many spyware, adware, and Trojan programs use port 80 for software downloads, bundled components,

or updates. This rule will prevent any service (using svchost.exe) from communicating over port 80. This

would stop common spyware and adware delivery mechanisms. Some server software uses port 80,

although this isn’t common in desktops.

This rule will block all HTTP communication for processes not in the exclusions list. Like FTP traffic, HTTP

traffic is used by many applications to retrieve or transmit data. Spyware, adware, and Trojans also

commonly use HTTP communication for software downloads of third-party components or updates.

There are also many legitimate reasons for processes to communicate via HTTP. Many applications use

a registration or self-update procedure that communicates over HTTP. Without the process being listed

in the exclusions list, the traffic would be blocked; therefore, McAfee strongly recommends a thorough

test and review cycle before enabling this rule.

Intention: Many Trojans download scripts or other Trojans from websites controlled by the Trojan’s

author. For example, http://vil.nai.com/vil/content/v_100487.htm. By blocking this communication,

even if a system becomes infected with a new unknown Trojan it will be unable to download further

malicious code.

Risks: HTTP is a very widely used protocol. While we have included popular web browsers in the

exclusion list, there may be many programs you may need to add based on your particular environment.

ID and name in Host IPS:

There is no corresponding signature in Host IPS.