I have recently updated some clients to VSE patch 10 from patch 8 - so I am just now learning about enhanced self protection. I have a few compiled programs that I use to perform tasks in McAfee -- these are things like writing custom values into the registry location for custom props that Agent will collect. I also have some homegrown removal scripts written to fix VSE or HIPS when an installation goes awry and needs to be "manually" uninstalled so that the installer can try again. Scripts like these will not be signed by Microsoft or McAfee. They are all custom .exe files and are not (but could easily be) signed by our own Trusted Publisher certificate.
It is my understanding, if I want Access Protection to work the same as it always has, that I need to disable enhanced self protection. Is that right? There is no middle ground where I could sign the executable or MD5 hash the executable so that self protection overlooks the fact that the application does not belong to Mcafee or Microsoft.
The other thing in there that caught my eye was the Global Exclusion for Self protection. This sounds perfectly like what I want, but the documentation in the release notes is not very clear and has lots of ominous warnings. I would LOVE to take an MD5 hash of a process of my own creation and get McAfee to "trust" it to do things in the protected McAfee registry and files. It says something like it gets removed as soon as it is created? I don't understand this part of McAfee Corporate KB - New Arbitrary Access Control global exclusion rule included with VirusScan Ent...
A new Arbitrary Access Control (AAC) global exclusion rule is provided in VSE 8.8 Patch 10. AAC rule provides critical protection to McAfee processes and system resources against zero day threats across multiple McAfee products. Using an AAC global exclusion bypasses all other AAC rules and exposes risks. Anytime a global exclusion is used to bypass AAC, it is removed
Does that mean I can't use global exclusions to do what I want or does it mean that if a global exclusion does something too bad, then the extension gets removed?
Like can I write a program called "REMOVEHIPS.exe" that uninstalls HIPS? This would normally be blocked bs access protection. In the past, I could have added removehips.exe to the exclusions list and it would be able to bypass AP rules. Now, in Patch 10, can I still do this by simple adding a global exclusion along with "removeHIPS.exe" and its MD5 hash?
I don't understand this document as it is confusing me between AAC global exclusion and Global Exclusions for Self Protection are these the same thing? How are they related. I thought I was reading about AP global exclusions and the article starts talking about Arbitrary Access control and who knows what that is... I just wanna "green light" my HIPS and VSE ripper programs and my update the custom props values tools. I am fine with signing them or MD5 hashing them, but I DO need them to work. For now I just disabled enhanced self protection - though I understand why it is needed. After all I could have just named my VSE removal tool Scan64.exe - and prior to enhanced self protection - that would have been allowed to do everything.