cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Is there any way to add a wildcard file name into the User-Defined section? I got an error when trying to do so and I was curious if there was another way. We got hit with the new SysGuard malware variant yesterday and neither VSE or Artemis is picking it up. The reason I want the wildcard is because it is changing its' name everytime I see it, for example, 2 of the different names I saw were mgwcsysguard.exe and sagssysguard.exe. There were other that I saw and manually cleaned, but I was hoping that I could add a *sysguard.exe wildcard or something so it will kill any file that is in that format from running. Also, this thing hit with Artemis on Medium and Very High, and with all PUPS Scan Items checked.

1 Solution

Accepted Solutions
Yoda
Level 9
Report Inappropriate Content
Message 2 of 8

Re: PUPS

Jump to solution

Within the OnAccess Scanner you can only add exclusions in the user defined section. So perhaps I'm misunderstanding.

What you can do is using the Acces Protection option from the console. Use the User Defined Rules, create a new one, File Folder blocking. Here you can use wildcards.

Hope this helps.

7 Replies
Yoda
Level 9
Report Inappropriate Content
Message 2 of 8

Re: PUPS

Jump to solution

Within the OnAccess Scanner you can only add exclusions in the user defined section. So perhaps I'm misunderstanding.

What you can do is using the Acces Protection option from the console. Use the User Defined Rules, create a new one, File Folder blocking. Here you can use wildcards.

Hope this helps.

Re: PUPS

Jump to solution

That was exactly what I was looking for, I didn't even think to put that in there. Hopefully that takes care of it because manually removing that thing was getting really time consuming. Thanks you!

Re: PUPS

Jump to solution

I have been experiencing the same issue since Christmas Eve with sysguard infections, and was wondering how I could create a wildcard blocking rule.  Thanks for the info.  More specifically, what would the wildcard be named?  Would *sysguard.exe work?

Thanks

Yoda
Level 9
Report Inappropriate Content
Message 5 of 8

Re: PUPS

Jump to solution

It doesn't matter how you put in the filename. What you mentioned is fine.

acooper wrote:

I have been experiencing the same issue since Christmas Eve with sysguard infections, and was wondering how I could create a wildcard blocking rule.  Thanks for the info.  More specifically, what would the wildcard be named?  Would *sysguard.exe work?

Thanks

jctech
Level 7
Report Inappropriate Content
Message 6 of 8

Re: PUPS

Jump to solution

Is there a way to do this in EPO?

Re: PUPS

Jump to solution

Yes there is, and it works like a charm!

Goto your Policy Catalog and under your VSE version, select Access Protection Policies. Click Edit on your active policy and once in there, click on User-Defined Rules and click New. Check File/Folder Blocking Rule once it comes up, Name your rule, in this field File or folder name to block: (Wildcards are allowed)  type in *sysguard.exe

In the check boxes on the bottom, check all except Files being deleted

This will stop the sysguard.exe file from even being created and if a computer is infected, it gets removed if you reboot the computer.

jctech
Level 7
Report Inappropriate Content
Message 8 of 8

Re: PUPS

Jump to solution

Awesome! Thanks!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community