cancel
Showing results for 
Search instead for 
Did you mean: 
ramil
Level 9
Report Inappropriate Content
Message 1 of 9

VSE 8.8 AP - How to unblock dll's run by svchost ?

Hello

I have a problem where Access Protection is blocking Windows Defender updates. While having two AV solutions at once is not a good practice I would still want to know how to fix this issue, so I could fix some other, similar, problems.. (I have AP also blocking some other legitimate ocx/dll files.)

AP_log_snippet.png

VSE 8.8 Access Protection - Anti-virus Maximum Protection - Prevent svchost executing non-Windows executables

I added mpengine.dll to exclusions, but it doesn't help.

Message was edited by: Ramil Rohi

8 Replies
wwarren
Level 15
Report Inappropriate Content
Message 2 of 9

Re: VSE 8.8 AP - How to unblock dll's run by svchost ?

Access Protection does not have the facilities for allowing exclusions of DLLs. It only allows excluding of process names.

And obviously that limits greatly the flexibility or value of the feature when you're facing an action being triggered by SVCHost.exe, something you'd never want to exclude (right?).

But, we exclude svchost.exe ourselves in some rules, which we have on our to-do list as something to change.

Wanting to have more granular control over how the AP rules work or how they're defined, is a PER. I hope you submit one because I would love to see that capability in the product.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
ramil
Level 9
Report Inappropriate Content
Message 3 of 9

Re: VSE 8.8 AP - How to unblock dll's run by svchost ?

That was not the answer I was looking for, but thanks anyway


wwarren wrote:


But, we exclude svchost.exe ourselves in some rules, which we have on our to-do list as something to change.


How did you do that ? Assigned a different Access Protection Policy to select systems where svchost was not intercepted ?

That would leave systems vulnerable for attacks, which is not good. Latest Cryptolocker exploits svchost by using it to delete volume shadow copys.


wwarren wrote:


I hope you submit one because I would love to see that capability in the product.


How would I do that ? I have never submited anything to McAfee. This kind of functionality is certainly necessary.

Re: VSE 8.8 AP - How to unblock dll's run by svchost ?

You can submit in Product ideas section in McAfee communities.


wwarren
Level 15
Report Inappropriate Content
Message 5 of 9

Re: VSE 8.8 AP - How to unblock dll's run by svchost ?

Take a look through our Access Protection default policies; you'll see that some contain a default exclusion for SVCHost.exe.

We have plans to change that, to remove it, and malware is a good example why.

We have a KB article that explains how to submit PERs:  https://kc.mcafee.com/corporate/index?page=content&id=KB60021

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
ramil
Level 9
Report Inappropriate Content
Message 6 of 9

Re: VSE 8.8 AP - How to unblock dll's run by svchost ?

I submitted the PER, but I'm still not sure what are you suggesting me to do to go around this problem.

Are you saying I should exclude svchost itself in "Prevent svchost executing non-Windows executables" rule ? Sounds like this would disable this rule.

Re: VSE 8.8 AP - How to unblock dll's run by svchost ?

Well if you really want to allow than you have to disable this rule.

wwarren
Level 15
Report Inappropriate Content
Message 8 of 9

Re: VSE 8.8 AP - How to unblock dll's run by svchost ?


Ramil Rohi wrote:



I submitted the PER, but I'm still not sure what are you suggesting me to do to go around this problem.


Are you saying I should exclude svchost itself in "Prevent svchost executing non-Windows executables" rule ? Sounds like this would disable this rule.


Correct. As I stated earlier:

Access Protection does not have the facilities for allowing exclusions of DLLs. It only allows excluding of process names.

Your options are limited, hence the PER.

If you're looking for more advanced zero-day protection options _today_ you should be looking at the Host Intrusion Prevention product.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
ramil
Level 9
Report Inappropriate Content
Message 9 of 9

Re: VSE 8.8 AP - How to unblock dll's run by svchost ?

Thank you wwarren, ansarias. I guess I have to make do with what I have at the moment then.