I'm having an issue right now trying to allow the McAfee VirusScan Enterprise to ignore the installations/updates for certain applications. Currently the ePO is enforced in a way to prevent anything from running from the Temp folder. I've added multiple exclusions (in this case, I'm installing Java) but I'm hung up at just a few things. I'll attach a log file, but is there a more definitive way to allow some of these minor, common application (Chrome, Reader, Java, Windows Updates) updates to go through while still preventing other programs from installing, but without disabling Active Protection?
Thanks for anyone's help!
if blocking file generation with Access Protection you have to exclude any process.From my experience strong Access Protection Rules are generating much Events but really more security regarding advanced malware.
1) How about HIPS? Access Protection Rules are available as HIPS Signatures. HIPS allows much more granular and easier exclusions.
2) You can also take a look at Application Control. There you have some more options to define how a system is allowed to be changed.
Thanks for the reply Troja,
Unfortunately I can't change our corporate anti-virus out, so I'm stuck trying to make these changes manually. Right now we're enforcing policies that prevent users from being able to install (basically) any program on their computer. The ePO manager has areas to make configuration changes, but specifically for this issue that I'm having with Java, I can't seem to get McAfee from ignoring the process.
can you tell me why this rules are activated?
- Does anyone checks the events and rates them?
This is the probem with Access Protection. If you block the execution from the Temp you will have false/positives and you have to check any event if it generated by malware or by a trusted installer :-(
It's just what my company specifically wants, unfortunately. If you look at the text-file I attached to my original post, you'll see the problem I'm having right now. I believe those two blocked parts of the installation are preventing me from successfully installing Java, but I can't get the ePO to accept that change at all.
the exclusion should not be a problem. You can see the process name and the blocking rule in the Log. Just add the according process name to the excluded process names in the access protection rule.
Don´t forget to check if there is the policy inheritance broken in the System Tree
That's what I said too, but even after adding them to the exclusion list, it won't install. The policy inheritance is broken, but that's because I was having problems pushing to the computers in my test-group, so I just broke the policy for one computer specifically.
As others have mentioned, Access Protection is not really intended for what you are trying to do. HIPS can do more of this with custom signatures, but even that can become complicated over time.
If you need to prevent updates to applications, then I'd suggest reviewing user permissions to determine why they have that ability in the first place.
I'd also strongly suggest looking at McAfee Application Control. It is not a VSE replacement, so you don't have to worry about changing your corporate AntiVirus standard, but you would be able to "solidify" systems and prevent not just certain updates, but any and all unwanted programs. You may want to talk to your Intel Security sales rep, as it is possible you may already own licenses depending on the suite you purchased.