We're having problems with Access Protection run from EPO on VirusScan Enterprise 8.5 and 8.7
Specific problems we are seeing at the moment are:
Cannot install printers (no indication given in access protection logs)
Cannot install / upgrade Flash
Cannot uninstall applications (probably related to installers being in the temp folder...)
Any suggestions on getting these allowed, without switching off IE/Firefox/temp run protection?
Have you selected Standard Protection or Maximum protection in the Access Protection ?
If you have selected Maximum, I suggest you to change that back to Standard and to get some extra protection, you can customize the other settings in addition to whatever is covered under the Standard Protection by changing the settings in the Virus Scan On Access Scanner's properties. I think, In the current scenario, The Access protection is stopping the files from being executed from the TEMP Folder.
Please let me know if you need further help !
The printers seemed to be stopped by the Maximum Setting - "Prevent Creation of new executable files in Windows folder" - we've not switched that off along with other Maximum protection settings
Flash is being stopped by "Run files from the temp folder" settings under common.
We're also encountering other oddness. I've needed to put IE into the "excluded programs" for "Protect IE Settings" in order to allow it to change it's own settings.
We don't seem to be able to update our Network settings through the Network Control Panel...
We're finding it very odd that the legitimate way of changing/doing things is being blocked
Maximum protection gives you exactly what it says :- MAXIMUM Protection.
I do understand the processes are legit. But please remember that these paths are also misused by malware trying to spread themselves. Thus, I request you again to switch to STANDARD protection and then by accessing the On Accesss Scanner Settings, You may select some additional features by customizing some settings and then making it optimal for your network.
This is something I probably should know, but I don't- how does one change from Maximum back to Standard protection? We use ePO4.0, VSE8.5. When we install VSE, we select "Maximum protection" - I can't see any way in ePO to turn that off, other than unchecking block/report for every item in every policy. Is there an easier way that I just don't know?
Please review what Access Protection rules are enabled for workstations and server under virusscan Ent 8.5 in ePO. These should be enforced on clients. If you find any discrepancy, i.e. ePO has fewer rule enabled for blocking than AP has on the client, this may indicate a policy enforcement problem (like no ePO agent functionalityis active on the client).
Otherwise, there is no such way as enabling many rules at once under a collective name (like maximum protection), you need to selectively handle rules in ePO.
Was it that you had in mind?
We've abandoned Maximum protection and that's solved some of the problem
EPO seems to correctly puching the settings out to the clients
However the problems we are having seem to be with the how "strict" the Common Standard Protection is, for example
I cannot install printers, either from Drag / Drop or Add Printers
I cannot, through the Network Control Panel, change the IP address of my computer - i.e. cannot select a wireless network
I could not change Internet Explorer's homepage through its *own* settings menu!
We want to protect our users from all of the above from third party vectors, however at the moment in order to actually allow people to carry on working, it looks like we need to abandon access protection.
One of our directors has been suggestion that we look elsewhere for this functionality...
some Access Protection rules cannot be just having on and manage problems by exclusions, because there would be too many exclusions out there. So that prticular AP rule might need to be disabled (ie unselect blocking).
The three examples you mention here might be related to "Prevent creation of new executable files in the Windows folder" , "Protect Internet Explorer settings" and "Protect network settings" rules. Either you cannot create as many exclusions as would be needed (for new autoinstall printer drivers' setup programs, for example) or excluding a process is not recommended (Windows's Explorer.exe, when you use the GUI to change something).
Perhaps disabling these rules may solve your problems. On the other hand did you consider having Artemis feature enabled ? It might counterbalance disabling these rules...
AttilaMessage was edited by: Attila Polinger on 3/1/10 4:10:16 AM CST
If Maximum Protection is not set at installation, these issues should not arrise. As suggested, rolling back maximum Protection cannot be done by changing one setting only and several rules will have to be disable this functionality. No matter which security software is employed, applying security workable measures is always a trade off between how much protection you want and how much th users are allowed to do. The same applied if changing Microsoft security settings or policies for instance.
Should you experience any of the issues described above rolling out VirusScan Enterprise with the default settings, please contact McAfee technical Support as this should not be the case. After a default rollout it is good practice to evaluate security settings and see which additional one can be implemented and existing ones tweaked.