yet another question regarding the two currently released TAs:
McAfee wants us to add some specific folders to the Access-Protection-Rules.
For Example for the W97M:
Processes to include: * - so all are included
File or foldername to block: c:\users\user\appdata\roaming\*.exe - think this won´t word as "user" is not specific. So i chose to user *\appdata\roaming\*.exe
I selected "Files being executed" and "New files being created".
BUT: Nothing is happening. I can create new files *.exe inside the roaming-folder as i like. I also tested the other solution from McAfee - nothing.
The same applied to the locky-TA. I ended up to not specify a folder here but say disallow all programs to create files with *.locky.
It this a known problem or am I missing something?
Solved! Go to Solution.
we use VSE 8.8 P4.
I´ll give it a try today and report back.
But thinking about it twice, why would one only want to block the creation of *.locky-files from Appdata? Maybe the next locky.exe will hide somewhere else...
those "*.locky" files are only the result of the encryption and denying the creation (assumption->) will result in non-encrypted files I guess but denying the creation of the "encryption executable", the malware, in the userpath is the first protection. Many but not all malware writes an executable within the userpath so this rule is not only good for Locky but for a whole range of Malware and other unwanted programs.
you were absolutely right with the path-declaration.
Can you explain why yours worked and mine not? What do the ** stars mean at the beginning?
I would like you to have a look at this one: McAfee KnowledgeBase - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x or ...
All your questions will be answered there and the english is a lot better than mine would be in this matter ;-)