cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Multiple Files in File/Folder Access Protection Rule

Jump to solution

Is there any way to specify multiple file names in a File/Folder Access Protection Rule?

Specifically, in VirusScan Enterprise 8.8 > Access Protection Policies > User-defined Rules >  File/Folder Access Protection Rule, on the line "File or folder name to block" is there a way to add more than one filename?

For instance, in the recent "Protecting against Ransomware" bulletin, in the section "Rules to help track systems that have been affected by these threats," seven file names are suggested to block, such as *HELP_DECRYPT.HTML, *HELP_DECRYPT.TXT, *Howto_RESTORE_FILES.BMP and *Howto_RESTORE_FILES.HTML.  It would be handy to be able to list all of those filenames in one line in one rule, rather than having to make a separate rule for each filename.

So far I have tried commas, semi-colons and spaces as separators in the "File or folder name to block" line without success. (When multiple files were listed, the rule did not trigger at all.  If only one filename is listed, the rule works well.)

Does anyone know of a way to specify more than one filename to block, in one rule?

- Charlie

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

This cannot be done with VSE.

Multiple rules would have to be declared in an attempt to satisfy the same criteria.

Endpoint Security 10.1 is where you would find this is possible.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

View solution in original post

6 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

This cannot be done with VSE.

Multiple rules would have to be declared in an attempt to satisfy the same criteria.

Endpoint Security 10.1 is where you would find this is possible.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

View solution in original post

Highlighted

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

Okay, I won't worry about it then.  Thanks very much for the quick reply.

- Charlie

Highlighted

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

For what its worth you could minimize the total number of defined rules by using a wildcard for the extension.

*HELP_DECRYPT.TXT --> *HELP_DECRYPT.*

Highlighted

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

Quite true; thank you for the suggestion.  That is what I wound up doing.

*HELP_DECRYPT.TXT, PNG, XLXS, DOCX, PDF, GIF... Who cares?  It all sounds pretty suspicious. And if one of my users wants to name a file that way, too bad!  

Unless of course it is the CEO.  Then...

- Charlie

Highlighted

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

Be sure you block file creation AND write access. File Creation only doesn't seem to work on 8.8p7. I've blocked these wildcards:

I'd welcome any other extensions or filename that I've missed.

One thing I am curious about, when ransomware can't drop these recovery instructions files, does it stop encrypting? Or do these files only get dropped after encryption is finished?

One rule I created is to allow the creation of key.dat, but disallow it's deletion . Sadly, newer ransomware uses different filenames or keeps the key in memory, or no longer has those vulnerabilities.

Highlighted

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

The majority of the time these recovery files are created prior to self-destruction. So - if you are seeing AP blocks triggered for the recovery files, there is a good chance you will be able to pull a sample of the malware from the machine(s) in question. Being able to obtain the .exe(s) is extremely valuable during outbreaks. Typically McAfee will have an extra dat within hours if determined to be a true positive.

One easy process example for such occasions -

1. UNC to node in question

2. "Hunt" for malware (view hidden folders, start with common directories (appdata, downloads))

3. Zip suspect file on the node in question (I use 7 zip - password must be 'infected')

4. Copy to local machine or sandbox

5. Upload to McAfee

6. Receive and deploy Extra DAT (follow-up with support if you dont hear anything within a couple of hours)

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community