cancel
Showing results for 
Search instead for 
Did you mean: 

Need help with Common Standard Protection

Hello all,

We're using ePO 4.6 with mcafee agent 4.8 and virus scan 8.8 patch 2.

I have TONES of alerts in ePO comming from the Access Protection policy "Common Standard Protection" - "Prevent common programs from running files from the Temp folder"

I have several cases that I know what software is causing this, but I'm trying to figure out a way to excluded these software from triggering these "errors"

The 2 softwares in questions are GoToAssist from citrix and Lotus Notes Web client (used with Internet Explorer - iexplorer.exe)

These are 2 software heavily used in our company (over 7000 nodes)

As we speak, nothing is blocked since I'm in reporting mode but my event log is being killed by these 2 applications.

Under I've excluded almost all the process I know from these 2 software, but I keep getting alerts.

In both cases, the Threat Target File Path is always a DLL. So part of my question is, is there a way to exclude these DLL instead of the process itself that is using it (ususally iexplorer.exe that I definitly don't want to exclude)?

Here's more information:

Citrix GoToAssist

Threat Source Process Name:C:\WINDOWS\Explorer.EXE
Threat Target File Path:C:\Documents and Settings\clepageb\Local Settings\Temp\Citrix\GoToAssist Remote Support Customer\498\g2a140.tmp\g2ax_customer_resource_win32_x86_en_US_498.dll
Event Category:'File' class or access
Event ID:1095
Threat Name:Common Standard ProtectionSmiley Tonguerevent common programs from running files from the Temp folder
Threat Type:access protection
Action Taken:would deny execute
Threat Handled:true
Analyzer Detection Method:OAS
Event Description:Access Protection rule violation detected and NOT blocked

Lotus Notes Web Client.

Threat Source Process Name:C:\Program Files\Internet Explorer\IEXPLORE.EXE
Threat Target File Path:C:\Documents and Settings\%username%\Local Settings\Temp\dwa8res_en.dll
Event Category:'File' class or access
Event ID:1095
Threat Name:Common Standard ProtectionSmiley Tonguerevent common programs from running files from the Temp folder
Threat Type:access protection
Action Taken:would deny execute
Threat Handled:true
Analyzer Detection Method:OAS
Event Description:Access Protection rule violation detected and NOT blocked

Thanks for help

0 Kudos
10 Replies
mshah
Level 10

Re: Need help with Common Standard Protection

Hi,

The VSE AP rule which you are talking about is just enabled for report bydefault, if you don't wish to receive the alert/events you may just uncheck the "report" from AP rule.

If you would like exclude the process name of IE and Lotusnotes, I am not sure that is going to work as these process are already included in this rule :

eudora.exe, explorer.exe, firefox.exe, iexplore.exe, MAPISP32.exe, mozilla.exe, msimn.exe, msn6.exe, msnmsgr.exe, neo20.exe, netscp.exe, nlnotes.exe, opera.exe, outlook.exe, Owstimer.exe, packager.exe, pine.exe, poco.exe, RESRCMON.EXE, SPSNotific*, thebat.exe, thunde*.exe, VMIMB.EXE, WinMail.exe, winpm-32.exe, winrar.exe, winzip32.exe

So possibly there is another way you may try is: remove the process name "iexplore.exe and nlnotes.exe" from the include list of this rule but again there is risk of doing it as the main source of threat is now a days IE via temp.

Just for testing you may try it on one or two machine and see how to goes however I would suggest you to share the AP and OAS log from any one of the machine which is reporting more events, so we can have an idea on what to do next for exclusion and what should be excluded.

Thanks,

Manish.

on 14/8/13 11:50:17 PM IST
0 Kudos

Re: Need help with Common Standard Protection

Thanks for your reply Manish,

My ultimate goal (on long term) would be to use the option BLOCK on this rule not only REPORT on it.

So, what I was thinking is by using the REPORT ONLY function, I would get "data" on a long run and I would be able to exclude the process in our environement that are "legit" and only get report data that would be usefull to me.

So if I take uncheck the option REPORT, I will not be able to see other stuff that could be armfull.

Basically, I think I will have to not report anymore on it, but I was looking to block these DLL, or whatever is calling these DLL, looks like we can't.

Would excluding these files (*.exe files (citrix, notes....) from the On Access Default will help or you think the IEXPLORER.EXE is really the piece calling the DLLs?

Thanks again for your quick help

0 Kudos

Re: Need help with Common Standard Protection

and here's one of the OAS log from one of the machine:

8/14/2013          1:19:28 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           CACC\clepageb          C:\WINDOWS\Explorer.EXE          C:\Documents and Settings\clepageb\Local Settings\Temp\Citrix\GoToAssist Remote Support Customer\498\g2a140.tmp\g2ax_customer_resource_win32_x86_en_US_498.dll          Common Standard ProtectionSmiley Tonguerevent common programs from running files from the Temp folder          Action blocked : Execute

You can repeat that line for 100 000 times and you'll get the complete log

0 Kudos
mshah
Level 10

Re: Need help with Common Standard Protection

Hi

AP (Access Protection) and OAS ( On Access Scanner) both are two differnt component of Virus Scan Enterprise. The above log which you have given it seems from AP (Acces Protection) log so excluding the process in On Access Default will not help here as On Access Default belongs to OAS. Here you need to exclude the parent process name into the AP rule "Common Standard Protection" - "Prevent common programs from running files from the Temp folder".  According to above log the explorer.exe is the parent process. However I would request you to share complete log folder name"DesktopProtection" which contain the VSE logs so after reviewing I can suggest you any thing exactly along with the steps to exclude.

I don't think excluding the DLL will  help.

Thanks,

Manish.

on 15/8/13 12:58:18 AM IST
0 Kudos

Re: Need help with Common Standard Protection

how can I upload a zip file with the logs in?

0 Kudos
mshah
Level 10

Re: Need help with Common Standard Protection

I can see some of people have attached the zip file while replying. Not sure how they have done. However you can use any ftp link which you might have or you may also use google drive and share the logs. my email id is manish.manibabu@gmail.com

0 Kudos
McAfee Employee

Re: Need help with Common Standard Protection

If you need to attach files to a post, if you click on the "use advanced editor" option, then you'll see the option to attach files.

HTH -

Joe

0 Kudos

Re: Need help with Common Standard Protection

Thanks for the tip

0 Kudos
mshah
Level 10

Re: Need help with Common Standard Protection

Thanks for sharing the logs. Looking into AP log found below:

8/14/2013          1:16:08 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           CACC\clepageb          C:\WINDOWS\Explorer.EXE          C:\Documents and Settings\clepageb\Local Settings\Temp\Citrix\GoToAssist Remote Support Customer\498\g2a140.tmp\g2ax_customer_resource_win32_x86_en_US_498.dll          Common Standard ProtectionSmiley Tonguerevent common programs from running files from the Temp folder          Action blocked : Execute

According to above log the process name explorer.exe is being detected by VSE AP rule "Common Standard ProtectionSmiley Tonguerevent common programs from running files from the Temp folder". If you wish VSE AP rule to do not block or report this application you need to create a new policy where you will be excluding the process. To do so you may refer the steps:

-Log in to ePo console

-Menu>Policy>Policy Calog

-Click on Product dropdown list and select VSE 8.x and click on Category dropdown list and select Access Protection Policies

-Select My Default and Duplicate it> Give a name for tis policy (e.g. Do not report or block GotoAssist) and click OK

-The policy will be listed in the page

-Just click on policy name "Do not report or block GotoAssist"

-Select Settings for: Workstation or server (If you wish to apply this policy to server OS you need to select Server or If you wish to apply to Workstation you need to select Workstation)

-Down you will see Access Protection Rules: Box

-From that box select "Common Standard Protection"

-Right hand side you will see another box which will have all the AP rules which relates to Standard common protection rule

-Select "Common programs from running files from the temp folder" and click on edit

-You will see three boxes out of that you will see down one "processes to exclude" type there the process name which you want exclude explorer.exe

- If you want you can use wild card as well with process name. ( To know how to use wild card : http://kc.mcafee.com/corporate/index?page=content&id=KB54812 )

-Click on OK and Save

-Now the AP rule is created but not assigned to any machine

-I would suggest you to please assign this rule to any one machine and reproduce the issue and test it.

To assign the rule to single machine:

-Go to Menu>Systems>System tree and select a machine on which you want to test it

-Click on Action>Agent>Modify policy on a single system

-Select Product VirusScan Enterprise 8.8.0

-find Access protection policies > select it and click on Edit Assignment

-Select "Break inheritance and assign the policy and settings below"

-Assigned policy: Select the created policy name "Do not report or block Goto Assist" and save it.

-Close the page and send an agent wake up call to that machine and make sure the policy is enforced.

Thanks

Manish.

0 Kudos