cancel
Showing results for 
Search instead for 
Did you mean: 
dankell
Level 7
Report Inappropriate Content
Message 1 of 11

Access Protection over enthusiastic?

We're having problems with Access Protection run from EPO on VirusScan Enterprise 8.5 and 8.7

Specific problems we are seeing at the moment are:

Cannot install printers (no indication given in access protection logs)

Cannot install / upgrade Flash

Cannot uninstall applications (probably related to installers being in the temp folder...)

Any suggestions on getting these allowed, without switching off IE/Firefox/temp run protection?

10 Replies
Highlighted

Re: Access Protection over enthusiastic?

Hi Dankell,

Have you selected Standard Protection or Maximum protection in the Access Protection ?

If you have selected Maximum, I suggest you to change that back to Standard and to get some extra protection, you can customize the other settings in addition to whatever is covered under the Standard Protection by changing the settings in the Virus Scan On Access Scanner's properties. I think, In the current scenario, The Access protection is stopping the files from being executed from the TEMP Folder.

Please let me know if you need further help !

Sameer

dankell
Level 7
Report Inappropriate Content
Message 3 of 11

Re: Access Protection over enthusiastic?

The printers seemed to be stopped by the Maximum Setting - "Prevent Creation of new executable files in Windows folder" - we've not switched that off along with other Maximum protection settings

Flash is being stopped by "Run files from the temp folder" settings under common.

We're also encountering other oddness.  I've needed to put IE into the "excluded programs" for "Protect IE Settings" in order to allow it to change it's own settings.

We don't seem to be able to update our Network settings through the Network Control Panel...

We're finding it very odd that the legitimate way of changing/doing things is being blocked

Re: Access Protection over enthusiastic?

Dankell,

Maximum protection gives you exactly what it says :- MAXIMUM Protection.

I do understand the processes are legit. But please remember that these paths are also misused by malware trying to spread themselves. Thus, I request you again to switch to STANDARD protection and then by accessing the On Accesss Scanner Settings, You may select some additional features by customizing some settings and then making it optimal for your network.

Thank you

bhamill
Level 7
Report Inappropriate Content
Message 5 of 11

Re: Access Protection over enthusiastic?

This is something I probably should know, but I don't- how does one change from Maximum back to Standard protection?  We use ePO4.0, VSE8.5.  When we install VSE, we select "Maximum protection" - I can't see any way in ePO to turn that off, other than unchecking block/report for every item in every policy.  Is there an easier way that I just don't know?

apoling
Level 14
Report Inappropriate Content
Message 6 of 11

Re: Access Protection over enthusiastic?

Hi,

Please review what Access Protection rules are enabled for workstations and server under virusscan Ent 8.5 in ePO. These should be enforced on clients. If you find any discrepancy, i.e. ePO has fewer rule enabled for blocking than AP has on the client, this may indicate a policy enforcement problem (like no ePO agent functionalityis active on the client).

Otherwise, there is no such way as enabling many rules at once under a collective name (like maximum protection), you need to selectively handle rules in ePO.

Was it that you had in mind?

Attila

bhamill
Level 7
Report Inappropriate Content
Message 7 of 11

Re: Access Protection over enthusiastic?

Attila sez:

------------

Was it that you had in mind?

------------

Yes, exactly.  Thanks for the help.

dankell
Level 7
Report Inappropriate Content
Message 8 of 11

Re: Access Protection over enthusiastic?

We've abandoned Maximum protection and that's solved some of the problem

EPO seems to correctly puching the settings out to the clients

However the problems we are having seem to be with the how "strict" the Common Standard Protection is, for example

I cannot install printers, either from Drag / Drop or Add Printers

I cannot, through the Network Control Panel, change the IP address of my computer - i.e. cannot select a wireless network

I could not change Internet Explorer's homepage through its *own* settings menu!

We want to protect our users from all of the above from third party vectors, however at the moment in order to actually allow people to carry on working, it looks like we need to abandon access protection.

One of our directors has been suggestion that we look elsewhere for this functionality...

apoling
Level 14
Report Inappropriate Content
Message 9 of 11

Re: Access Protection over enthusiastic?

Hi,

some Access Protection rules cannot be just having on and manage problems by exclusions, because there would be too many exclusions out there. So that prticular AP rule might need to be disabled (ie unselect blocking).

The three examples you mention here might be related to "Prevent creation of new executable files in the Windows folder" , "Protect Internet Explorer settings" and "Protect network settings" rules. Either you cannot create as many exclusions as would be needed (for new autoinstall printer drivers' setup programs, for example) or excluding a process is not recommended (Windows's Explorer.exe, when you use the GUI to change something).

Perhaps disabling these rules may solve your problems. On the other hand did you consider having Artemis feature enabled ? It might counterbalance disabling these rules...

Attila

Message was edited by: Attila Polinger on 3/1/10 4:10:16 AM CST
sgrimmel
Level 11
Report Inappropriate Content
Message 10 of 11

Re: Access Protection over enthusiastic?

Hi

If Maximum Protection is not set at installation, these issues should not arrise. As suggested, rolling back maximum Protection cannot be done by changing one setting only and several rules will have to be disable this functionality. No matter which security software is employed, applying security workable measures is always a trade off between how much protection you want and how much th users are allowed to do. The same applied if changing Microsoft security settings or policies for instance.

Should you experience any of the issues described above rolling out VirusScan Enterprise with the default settings, please contact McAfee technical Support as this should not be the case. After a default rollout it is good practice to evaluate security settings and see which additional one can be implemented and existing ones tweaked.

HTH

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community