cancel
Showing results for 
Search instead for 
Did you mean: 
mpearce
Level 7
Report Inappropriate Content
Message 1 of 15

Configuring Low/High/Default risk processes policies

Currently my company is noticing a high count of events that have access protection rules as the threat type.  Their solution is to add the executable or file path to the excluded process list in access protection (AP) for whatever rule was listed in the threat type.  Upon further research I have found that the detection method is OAS. Upon review of the OAS policies I have found that they have chosen to use one scanning policy for all processes instead of using low/high/default.

My understanding of OAS is that it scans a process against the access protection rule set and if it finds a breach an event is fired noting that a threat has occurred.  My suspicion is that the event will fire every time OAS detects that an AP rule has been breached and that this is the cause of the high threat event count.  VSE seems to ignore the fact that the process is excluded in AP.  I am assuming this is by design? or is it a bug?

I would like to get some clarity on why the events are still firing even when a process is listed under the exclusions for an access protection rule.  I suspect that the event will fire each time because the on-access scanner has no concept of low/high/default risk policies and it will ignore the AP exclusion.  If this is true why would ignore the process if it is excluded?

I know that McAfee best practices will state that low/high/default policies should be used.  This is the direction I want to go.

My question is if I start adding the processes they have listed as exclusions in access protection into the low risk process policy will this cause a reduction in events?  What is the difference between adding a process to the low risk list versus adding it as an exclusion in the access protection?

Is there any documentation that explains in detail how the policies function?

14 Replies
ansarias
Level 13
Report Inappropriate Content
Message 2 of 15

Re: Configuring Low/High/Default risk processes policies

Hello,

If process added to Low/High/default exclusion than it will help during scanning when ever that process is doing any read/write activity but if that process is captured in AP rules then we can stop only them if we have added into detected AP rule.

Can I have sample log of that rule if you can share here?

mpearce
Level 7
Report Inappropriate Content
Message 3 of 15

Re: Configuring Low/High/Default risk processes policies

Perhaps my questions/thinking will make more sense given a threat event that was received.

Source: C:\Program Files (x86)\EMC\NavisphereAgent\NaviAgent.exe

Target: C:\Program Files\Common Files\Mcafee\systemcore\mcshield.exe

Source User: <none, blank field>

Target User: NT Authority\System

Event ID: 1092

Severity: Notice

Threat Name: Common Standard ProtectionSmiley Tonguerevent Termination of McAfee processes

Threat Type: Access Protection

Action Taken: deny terminate

Threat Handled: true

Analyzer detection method: OAS

Event description: AP rule violation detected and blocked

The source process is in the excluded process list under that AP rule yet the event still fires.  The on-access delfault process policy is set to use one scanning policy for all processes. With the policies set the way they currently are this event will fire 700+ times in an hour from a single system.

If I were to change the on-access default policy to use low/high/default policies instead of using one policy and add NaviAgent.exe to the low risk process policy would that cause a decrease in the number of these events?  If there is a better way to "quiet" this event please let me know.

ansarias
Level 13
Report Inappropriate Content
Message 4 of 15

Re: Configuring Low/High/Default risk processes policies

Thanks for log file, Adding NaviAgent.exe to the low risk process policy or default will not help to stop log the events.

Its a known issue and I had same logs in my account also. I'll suggest to add NaviAgent.exe into McAfee access protection log under process to exclude in rule : Common Standard ProtectionSmiley Tonguerevent Termination of McAfee processes

ScreenShot_ 01.49 04-Feb-15.jpg

Please male sure to select correct access protection setting for workstation or server.

Let me know if it fixes the issue.

mpearce
Level 7
Report Inappropriate Content
Message 5 of 15

Re: Configuring Low/High/Default risk processes policies

Thanks for the advice, I noticed that the process is already in the 'processes to exclude' list. To me that says the process should be excluded and the event shouldn't fire.  But then again if the process is excluded and the report box is checked does that mean the event will still generate?

wwarren
Level 15
Report Inappropriate Content
Message 6 of 15

Re: Configuring Low/High/Default risk processes policies


Thanks for the advice, I noticed that the process is already in the 'processes to exclude' list. To me that says the process should be excluded and the event shouldn't fire.  But then again if the process is excluded and the report box is checked does that mean the event will still generate?


No. The rule should not be violated by a process that is in the "Processes to exclude" list.

If it is still being triggered, then you have a policy issue to investigate. Either the policy change is not reaching the client, or has not reached it yet, or the policy is reaching the client but failing to be enforced.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
mpearce
Level 7
Report Inappropriate Content
Message 7 of 15

Re: Configuring Low/High/Default risk processes policies

Seems there is a policy issue then.  There is a definite mismatch between the list of excluded processes in the policy versus the list the client is picking up.  there are many exclusions in the policy that are not picked up by the client.

So I have a few questions:

-Is there a limit on the number of processes that can be in the exclusion list?

-Is there a limit to the number of characters for each exclusion?

-Is there a limit to the number of sub-directories for each exclusion?

-Should the full path be used or just the executable?

For the last question I have gotten a mix of responses.  Some say the full path is needed others say just the executable name (filename.exe).

wwarren
Level 15
Report Inappropriate Content
Message 8 of 15

Re: Configuring Low/High/Default risk processes policies


-Is there a limit on the number of processes that can be in the exclusion list?


Kind of. The UI is limited by number of characters. So you'll only be able to squeeze in a certain number of processes due to that.

Customizations to AP rules are stored on the client in the registry, and the Windows registry also imposes size limits.

Any additional exclusion adds risk, so it's not expected that anyone will proactively cram processes to exclude; that it'll only be done as needed, on a case by case basis to meet the environment's need where the risk is deemed acceptable.


-Is there a limit to the number of characters for each exclusion?


Same as above.

If you're not using the latest extension, you can also suffer from a past issue (XP only) that limits process names to 16 characters.


-Is there a limit to the number of sub-directories for each exclusion?


I don't understand the question.  What sub-directories are you referring to?


-Should the full path be used or just the executable?


It depends, and that's why you get varying responses.

If it's a Port Blocking AP rule, exclude process names only - do not include the path. If you do include the path, the exclusion may not work.

If it's a File or Registry rule, you can specify the full path if you wish but keep in mind the character limitation is still in effect.

Patch 5's extension will be more helpful in this regard, advising you when you are nearing the character limit, and preventing you from exceeding that limit.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
mpearce
Level 7
Report Inappropriate Content
Message 9 of 15

Re: Configuring Low/High/Default risk processes policies

-Is there a limit to the number of sub-directories for each exclusion?


I don't understand the question.  What sub-directories are you referring to?


I meant is there a limit to the depth of the filepath in terms of number of folders that each excluded process can have? (c:\subdir1\subdir2\...\subdirN\file.exe)

Is there a character limit for each file path?

Do you happen to know the number of characters the policy allows for exclusions?  is there a total number or is it a certain number of characters per process?

ansarias
Level 13
Report Inappropriate Content
Message 10 of 15

Re: Configuring Low/High/Default risk processes policies

Well McAfee didn't define a limit to the depth of the file path but you can use below option in exclusion

(c:\subdir1\subdir2\...\subdirN\file.exe

c:\subdir1\*\file.exe