cancel
Showing results for 
Search instead for 
Did you mean: 
andrep1
Level 14
Report Inappropriate Content
Message 11 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

This really is an all or nothing proposition. You can include/exclude specific executables but not file extensions. McAfee HIPS is much more granular in that respect.

Maybe it is one of those situation where you are adding temporary protection until the situation regulates.

Other options to look at are perimeter based solutions to keep that stuff away from the desktop: web gateways and AV/AS for email.  McAfee siteadvisor who is almpst always bundled in with VSE can help also.

Re: Policy to Block Running Files from Temp Area

Jump to solution

We use McAfee Security for MS Exchange on our email servers. I will ask in that forum if this product can block exe's only. Thanks for all your help

andrep1
Level 14
Report Inappropriate Content
Message 13 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

Sure, it does that when it works.

Re: Policy to Block Running Files from Temp Area

Jump to solution

So as i went to type out a discussion in the MSME community, a few things hit me:

1) this trojan would have gotten passed MSME anyway as VSE did not find it

2) this user is in a remote office and not in our exchange organization

I guess this is a true statement "there is no 100% protection from infections....

andrep1
Level 14
Report Inappropriate Content
Message 15 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

If not enabled, also consider enabled GTI at medium in VSE and MSME to add cloud base detections

Highlighted
kenobe
Level 10
Report Inappropriate Content
Message 16 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

Now that you're blocking that temp folder with Access Protection>Anti-spyware Maximum Protection>Prevent all programs from running files from the Temp folder, you can create exceptions for that rule.  While in that rule, click on the Prevent all and click Edit below.

You'll see a screen where you can specify what to include (* = all in this case) and what to exclude as shown in this pic:

screenshot.jpg

You can use the McAfee wildcards (*, **, and ?) in the exclusions as well.  To see what exclusions you need to create, review the Threat Event log for that system (those systems) which are blocking valid activity and create your exception based off that process name.  Be careful as you can't get more granular.   For example, you can't say "let process x run while it creates file xx".

Re: Policy to Block Running Files from Temp Area

Jump to solution

Great!! So, I can put *.doc, *.docx, *.pdf in the exclusions list. Like so:

Capture.PNG

and this will allow word docs and excel and pdf's to run in temp area?

EDIT///

I think I see now, in the case of word, winword.exe will need to go into the exclusions box, yes?

kenobe
Level 10
Report Inappropriate Content
Message 18 of 18

Re: Policy to Block Running Files from Temp Area

Jump to solution

Correct on the 2nd part - you'd create an exclusion for Word, Powerpoint, etc.  But as you can imagine, that would let those programs run anything in the temp folder which alot of malware tends to use. 

In our case, those apps don't use temp for anything anyway, just putting .temp files in your current folder.  Outlook and IE use that temp folder, though, by default so some issues may come up with those.

Recommend testing this on a sample of your systems to see what works best for you.  As mentioned above, HIPS rules, aka whitelisting, let you get more granular with the exceptions.

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.