cancel
Showing results for 
Search instead for 
Did you mean: 
splash
Level 9
Report Inappropriate Content
Message 1 of 11

Automatically enable Access Protection

Hi

We have a mixture of Vscan 8.7 and 8.8 rolled out and every now and then we have had to disable access protection to install/uninstall programs. It appears that a few of my colleagues in the IT dept havent been enabling this after installing/uninstalling programs, so the AV has basically been disabled and now we're not sure how many machines have it disabled.

Is there a way of making sure access protection gets enabled after a set time if its disabled? We have a password that you have to type in before you can enable or disable anything in the console and it appears after a while that locks it self so surely the same can be done with access protection?

Cheers

10 Replies
Highlighted

Re: Automatically enable Access Protection

Hi,

I am actually curious as to why would you always enable/disable the access protection just to install some programs ???? Not a good idea to go about doing the things. If I were you, I would probably have the Access protection at a Standard Level to begin with and then would go about customizing it. If we go with the Maximum Protection, that is when McAfee would not allow you to install any programs.

So here, instead of distrubuting the credentials to all the users who have the right to enable/disable the Access Protection, I suggest you to freeze upon a policy which gives you watertight protection but also doesnt be as much a apain as it is now when you install some thing..

To answer your question, please take a look at this.

http://kb.mcafee.com/agent/index?page=content&id=KB51164&actp=search&viewlocale=en_US&searchid=13032...

Thank you

Sameer

splash
Level 9
Report Inappropriate Content
Message 3 of 11

Re: Automatically enable Access Protection

Hi

We need to enable and disable the access protection to install programs as we have the anti spyware module activated which blocks exe's running from the temp directory, so when trying to install office, firefox, chrome etc they all get blocked by the AV unless you disable access protection. Only IT and 2 other people know the password to unlock the virus scan but most people were thinking that like the locking feature after a while the access protection would be able as well.

I think i have got it enable every time it connect to our main AV server for an update so i will settle on that for now

Thanks

McAfee Employee hem
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: Automatically enable Access Protection

Rather than disabling AP, I will suggest to add those truested Exes to AP exclussions.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?please select Accept as Solution in my reply and together we can help other members?
Regis
Level 12
Report Inappropriate Content
Message 5 of 11

Re: Automatically enable Access Protection

Shouldn't the mcafee agent  should be enforcing your ePO-set access protection policies?

If you go into ePO, in your system tree for one ofthe system, highlight the group the PC's are in, and go into the Assigned Policies tab, selecting Product McAfee Agent...  click on teh policy that is assigned (My_Default if you haven't specified anything custom).    There under McAfee Agent > General > [name of policy]   what is your Policy enforcement interval (minutes)?    What is your Agent to server communication  Agent to server communication interval (and is "enable agent to server communication" enabled)?

I believe the job of these features is to handle the exact situation you are describing.    Assuming of course, a McAfee agent created by your ePO is installed on these systems and that they're centrally managed by an ePO.

splash
Level 9
Report Inappropriate Content
Message 6 of 11

Re: Automatically enable Access Protection

Hi Regis

The

I have noticed if i go into Mcafee Agent Status Monitor and do Enforce Policies this will enable Access Protection, so maybe if i shorten the Policy Enforcement internal to something small like 60 minutes would that sort it? also if i did this what would this do to machines getting policies enforced every hour would it slow them down?

Thanks

metalhead
Level 12
Report Inappropriate Content
Message 7 of 11

Re: Automatically enable Access Protection

There will be no slow down. Enforcing the policy is a "local action" and will reset VSE to the settings you specified in the assigned ePO VSE policies.

So if AP is enabled there it will be reenabled. Also setting a "not-User-known" password on the VSE GUI would help.

Reliable Contributor andrep1
Reliable Contributor
Report Inappropriate Content
Message 8 of 11

Re: Automatically enable Access Protection

Maybe you'll think we're on the extreme side, but we enforce policy every 15 minutes and it will re-enforce AP.

If someone requires disabling of AP, we disable it centrally by assigning an open AP policy to that device and then remove it once done.

splash
Level 9
Report Inappropriate Content
Message 9 of 11

Re: Automatically enable Access Protection

Ok i will change the policy enforcement to 45 mins and see how we get on. Also we have do have a password on the Virusscan Console but that has happened is where my colleagues had been disabling AP to install programs they then never enabled it after, hopefully this will sort it out

Thanks

Regis
Level 12
Report Inappropriate Content
Message 10 of 11

Re: Automatically enable Access Protection

The policy enforcement interval in the the environment  I work in is actually 5 minutes.    I'd definitely crank that down further.  It gets annoying when you need to override something on a local client, but you can always have another epo group you can move the host to with a longer policy enforcement intervale "e.g. a triage/cleanup group" and go from there.

We use don't run from temp directory access protection as well, but by populating the exceptions in epo appropriately and saving download files to some directories other than ones with the word temp in them, life can continue without needing to disable access protection for installing programs.  We install programs quite frequently, and only on a couple occasions in the past year have I had to disable access protection.

Good luck.

on 5/9/11 8:05:47 AM CDT
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community