cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 1 of 6

Threat Advisories on W97M and Locky

Jump to solution

Hey guys,

yet another question regarding the two currently released TAs:

McAfee wants us to add some specific folders to the Access-Protection-Rules.

For Example for the W97M:

Processes to include: * - so all are included

File or foldername to block: c:\users\user\appdata\roaming\*.exe - think this won´t word as "user" is not specific. So i chose to user *\appdata\roaming\*.exe

I selected "Files being executed" and "New files being created".

BUT: Nothing is happening. I can create new files *.exe inside the roaming-folder as i like. I also tested the other solution from McAfee - nothing.

The same applied to the locky-TA. I ended up to not specify a folder here but say disallow all programs to create files with *.locky.

It this a known problem or am I missing something?

Regards

Dan

Best regards
Dan
1 Solution

Accepted Solutions
Highlighted

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

try the follwoing:

**\Users\*\AppData\*\*.exe

for the given Rule and which VSE/EP do you use?

5 Replies
Highlighted

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

try the follwoing:

**\Users\*\AppData\*\*.exe

for the given Rule and which VSE/EP do you use?

Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

we use VSE 8.8 P4.

I´ll give it a try today and report back.

But thinking about it twice, why would one only want to block the creation of *.locky-files from Appdata? Maybe the next locky.exe will hide somewhere else...

Best regards
Dan

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

those "*.locky" files are only the result of the encryption and denying the creation (assumption->) will result in non-encrypted files I guess but denying the creation of the "encryption executable", the malware, in the userpath is the first protection. Many but not all malware writes an executable within the userpath so this rule is not only good for Locky but for a whole range of Malware and other unwanted programs.

greetings

Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: Threat Advisories on W97M and Locky

Jump to solution

Hey mate,

you were absolutely right with the path-declaration.

Can you explain why yours worked and mine not? What do the ** stars mean at the beginning?

Best regards

Dan

Best regards
Dan

Re: Threat Advisories on W97M and Locky

Jump to solution

Hello,

I would like you to have a look at this one: McAfee KnowledgeBase - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x or ...

All your questions will be answered there and the english is a lot better than mine would be in this matter 😉

greetings

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community