This really is an all or nothing proposition. You can include/exclude specific executables but not file extensions. McAfee HIPS is much more granular in that respect.
Maybe it is one of those situation where you are adding temporary protection until the situation regulates.
Other options to look at are perimeter based solutions to keep that stuff away from the desktop: web gateways and AV/AS for email. McAfee siteadvisor who is almpst always bundled in with VSE can help also.
We use McAfee Security for MS Exchange on our email servers. I will ask in that forum if this product can block exe's only. Thanks for all your help
So as i went to type out a discussion in the MSME community, a few things hit me:
1) this trojan would have gotten passed MSME anyway as VSE did not find it
2) this user is in a remote office and not in our exchange organization
I guess this is a true statement "there is no 100% protection from infections....
Now that you're blocking that temp folder with Access Protection>Anti-spyware Maximum Protection>Prevent all programs from running files from the Temp folder, you can create exceptions for that rule. While in that rule, click on the Prevent all and click Edit below.
You'll see a screen where you can specify what to include (* = all in this case) and what to exclude as shown in this pic:
You can use the McAfee wildcards (*, **, and ?) in the exclusions as well. To see what exclusions you need to create, review the Threat Event log for that system (those systems) which are blocking valid activity and create your exception based off that process name. Be careful as you can't get more granular. For example, you can't say "let process x run while it creates file xx".
Great!! So, I can put *.doc, *.docx, *.pdf in the exclusions list. Like so:
and this will allow word docs and excel and pdf's to run in temp area?
I think I see now, in the case of word, winword.exe will need to go into the exclusions box, yes?
Correct on the 2nd part - you'd create an exclusion for Word, Powerpoint, etc. But as you can imagine, that would let those programs run anything in the temp folder which alot of malware tends to use.
In our case, those apps don't use temp for anything anyway, just putting .temp files in your current folder. Outlook and IE use that temp folder, though, by default so some issues may come up with those.
Recommend testing this on a sample of your systems to see what works best for you. As mentioned above, HIPS rules, aka whitelisting, let you get more granular with the exceptions.