cancel
Showing results for 
Search instead for 
Did you mean: 

Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

All -

Has anyone figured out a way to add programs to the VSE Unwanted Programs Policy that have filenames that are constantly changin?

For example, my company has decided to block the Dropbox desktop application. The executable for this app is constantly changing as the version is updated, so

"dropbox 1.1.1.exe" when updated becomes "dropbox 1.1.2.exe".

How can I combat agianst this without tracking down the version numbers and executables of every piece of software in the Unwanted Programs Policy?

1 Solution

Accepted Solutions

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Yes, you are on the right track.  I would leave the delete option unchecked so it can be removed,  but for the exe If what you have doesnt work you can try dropbox*.exe.  Not sure if that will do the trick.  This is much more effective and for those who already got around installing it you can block the current installations from functioning with rules like **\dropbox\** to block a folder anywhere on the system or C:\dropbox\*   As mentioned in the previous post use the link that they provided for how to use the wildcard features.

Message was edited by: Dvanmeter on 6/26/12 4:41:13 PM CDT
10 Replies
robpow
Level 10
Report Inappropriate Content
Message 2 of 11

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

You might want to take a look at McAfee Application control (formerly SolidCore), it has more powerful blocking features.

Matt

Highlighted
kenobe
Level 10
Report Inappropriate Content
Message 3 of 11

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Try wildcards?  For example: dropbox*.exe or dropbox?.?.?.exe

The way McAfee uses wildcards is a bit different.  Read how here:

https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Thank you both for the responses.

@Robpow - Solidcore would make things a lot easier on that front. I have deployed Solidcore for a small subset of systems at my company that hold data of a very sensitive nature, but have not deployed it enterprise wide.

@Kenobe - Thank you for this helpful link, the use of the wildcard is what I have been looking for.

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Did this work for you?  I am not able to use wildcards when specifying files names through the Unwanted Programs Policy.  I get a "ii" when I enter dropbox*.exe and the box is grayed out and I can't save.

robpow
Level 10
Report Inappropriate Content
Message 6 of 11

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

No, didn't think you could have wildcards in the Unwanted Programs Policy (or any On-Access Scanner) process name fields. Think only the exclude by target file/folder options take wild cards.

Matt

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

You guys are correct, the wildcards did not work for my case.

Dvanmeter
Level 10
Report Inappropriate Content
Message 8 of 11

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

What you want to do is use the access protection features in Mcafee AV instead of the unwanted programs feature.  Access protection rules can use a wide range of wildcard options.  If your not familiar with using access protection rules, it basically denies access of the file name from be written, read, created, modified deleted.  You choose the permission level.  The former comment is right about solidcore or even Mcafee HIPS,  you can basically be even more restrictive on access by using a file hash instead of name, but for what you are decribing you want to do it is very simple to do with access protection rules in the AV product.

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Thanks Dvanmeter, I had not considered using either of those options.

I do have HIPS deployed (IPS mode only at this time), but I was not aware that I could use Access Protection rules for this function.

I coud just add a new File/Folder Blocking Rule under the user-defined Rules, correct? So I could do something to this effect:

Rule name:

Block Dropbox

Processes to include:

* (I am assuming this is OK to leave)

Processes to exclude:

(leave blank)

File or folder name to block:

dropbox?.*

File actions to prevent:

Read

Write

Execute

Create

Delete (I guess I could leave this unchecked?)

HIPS I am not as familiar with yet, but I will investigate both options.

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Yes, you are on the right track.  I would leave the delete option unchecked so it can be removed,  but for the exe If what you have doesnt work you can try dropbox*.exe.  Not sure if that will do the trick.  This is much more effective and for those who already got around installing it you can block the current installations from functioning with rules like **\dropbox\** to block a folder anywhere on the system or C:\dropbox\*   As mentioned in the previous post use the link that they provided for how to use the wildcard features.

Message was edited by: Dvanmeter on 6/26/12 4:41:13 PM CDT
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.