cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple Files in File/Folder Access Protection Rule

Jump to solution

Is there any way to specify multiple file names in a File/Folder Access Protection Rule?

Specifically, in VirusScan Enterprise 8.8 > Access Protection Policies > User-defined Rules >  File/Folder Access Protection Rule, on the line "File or folder name to block" is there a way to add more than one filename?

For instance, in the recent "Protecting against Ransomware" bulletin, in the section "Rules to help track systems that have been affected by these threats," seven file names are suggested to block, such as *HELP_DECRYPT.HTML, *HELP_DECRYPT.TXT, *Howto_RESTORE_FILES.BMP and *Howto_RESTORE_FILES.HTML.  It would be handy to be able to list all of those filenames in one line in one rule, rather than having to make a separate rule for each filename.

So far I have tried commas, semi-colons and spaces as separators in the "File or folder name to block" line without success. (When multiple files were listed, the rule did not trigger at all.  If only one filename is listed, the rule works well.)

Does anyone know of a way to specify more than one filename to block, in one rule?

- Charlie

1 Solution

Accepted Solutions
wwarren
Level 15
Report Inappropriate Content
Message 2 of 7

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

This cannot be done with VSE.

Multiple rules would have to be declared in an attempt to satisfy the same criteria.

Endpoint Security 10.1 is where you would find this is possible.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
6 Replies
wwarren
Level 15
Report Inappropriate Content
Message 2 of 7

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

This cannot be done with VSE.

Multiple rules would have to be declared in an attempt to satisfy the same criteria.

Endpoint Security 10.1 is where you would find this is possible.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

Okay, I won't worry about it then.  Thanks very much for the quick reply.

- Charlie

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

For what its worth you could minimize the total number of defined rules by using a wildcard for the extension.

*HELP_DECRYPT.TXT --> *HELP_DECRYPT.*

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

Quite true; thank you for the suggestion.  That is what I wound up doing.

*HELP_DECRYPT.TXT, PNG, XLXS, DOCX, PDF, GIF... Who cares?  It all sounds pretty suspicious. And if one of my users wants to name a file that way, too bad!  

Unless of course it is the CEO.  Then...

- Charlie

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

Be sure you block file creation AND write access. File Creation only doesn't seem to work on 8.8p7. I've blocked these wildcards:

I'd welcome any other extensions or filename that I've missed.

One thing I am curious about, when ransomware can't drop these recovery instructions files, does it stop encrypting? Or do these files only get dropped after encryption is finished?

One rule I created is to allow the creation of key.dat, but disallow it's deletion . Sadly, newer ransomware uses different filenames or keeps the key in memory, or no longer has those vulnerabilities.

Re: Multiple Files in File/Folder Access Protection Rule

Jump to solution

The majority of the time these recovery files are created prior to self-destruction. So - if you are seeing AP blocks triggered for the recovery files, there is a good chance you will be able to pull a sample of the malware from the machine(s) in question. Being able to obtain the .exe(s) is extremely valuable during outbreaks. Typically McAfee will have an extra dat within hours if determined to be a true positive.

One easy process example for such occasions -

1. UNC to node in question

2. "Hunt" for malware (view hidden folders, start with common directories (appdata, downloads))

3. Zip suspect file on the node in question (I use 7 zip - password must be 'infected')

4. Copy to local machine or sandbox

5. Upload to McAfee

6. Receive and deploy Extra DAT (follow-up with support if you dont hear anything within a couple of hours)