cancel
Showing results for 
Search instead for 
Did you mean: 
carnold
Level 7
Report Inappropriate Content
Message 1 of 18

Policy to Block Running Files from Temp Area

Jump to solution

ePO 5.1 with VSE 8.8. We want to block malicious software from running from temp areas. I have read about common protection area but those articles are from 2011 and 2012 (not sure if that applies to ePO 5.1). This policy would include blocking files from running in IE temp areas and Chrome temp areas. Can someone tell me how to accomplish this?

1 Solution

Accepted Solutions
andrep1
Level 14
Report Inappropriate Content
Message 2 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

Just have a quick look in epo at your VSE access protection policies, it is all in there.

Just pick the config you want and the additional processes you want to exclude, if any. Look under common standard, common maximum and antispyware maximum.

You can also create a custom rule to block any processes to run from temp. They're pretty easy to do. It is all under VSE, Access Protection

Andre

17 Replies
andrep1
Level 14
Report Inappropriate Content
Message 2 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

Just have a quick look in epo at your VSE access protection policies, it is all in there.

Just pick the config you want and the additional processes you want to exclude, if any. Look under common standard, common maximum and antispyware maximum.

You can also create a custom rule to block any processes to run from temp. They're pretty easy to do. It is all under VSE, Access Protection

Andre

carnold
Level 7
Report Inappropriate Content
Message 3 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

With todays malware/trojan/virus, what are the best settings to block in these options? What is the best way to block PUP's?

Reliable Contributor ansarias
Reliable Contributor
Report Inappropriate Content
Message 4 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

Create a user defined Access Protection rule where block all option from temp folder, like execution, new file creation.

I'll suggest to apply on few machines and monitor for 1 week for any issues. Later you can apply it globally for all workstations.

andrep1
Level 14
Report Inappropriate Content
Message 5 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

This is not really the community for security guidance, more for technical guidance. But have a look at this document it should put you on the right track.

McAfee KnowledgeBase - VirusScan Enterprise 8.8 Best Practices Guide

carnold
Level 7
Report Inappropriate Content
Message 6 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

So I don't think the changes are being applied. A user with VSE 8.8 was infected today and the file(s) ran from:

Capture.PNG

temp locations (VSE did not find anything on 2 full scans)!

Here are the settings of access policies:

Capture.PNG

This is the my default settings:

Capture.PNG

Capture.PNG

What am I missing?


Highlighted
andrep1
Level 14
Report Inappropriate Content
Message 7 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

Your antispyware maximum settings are set to "report" and not block. You have to check both columns.

If you doubt settings are applied locally, you can always check the local console under access protection

carnold
Level 7
Report Inappropriate Content
Message 8 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

Totally missed that! Thank you

Re: Policy to Block Running Files from Temp Area

Jump to solution

Hello,

you may forgot to check the boxex for "block" but the circumstance VirusScan could not find anything should bother you more. Seems to be a new Malware, which is not within any DAT or reputation engine of Mcafee.

I agree with Andre Parent to check the block box but you also should check back with McAfee for an extraDAT which can find and clean this peace of Malware. And think about Layer 8 Education, looks like someone got Mail and run the attachment ;-)

Greetings

Re: Policy to Block Running Files from Temp Area

Jump to solution

So now users cant "open" doc(x) files. So when using a web based app and they want to open a word doc file they now have to save it and then open it. Is there some way to exclude certain file extensions or how do you guys handle opening word, excel and the like files?

@Don_Martin - i agree, this is concerning and i will have McAfee take a look at it. Layer 8 Education = people dont listen. It's like telling a kid not to stick anything into the light socket! Whats the first thing they do? Stick something into the light socket.......

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.