With ENS 10, you can build more complex Access Protection rules with subrules: https://kc.mcafee.com/corporate/index?page=content&id=KB86577
So, what they are describing in KB89335 is really a more complex access protection rule set - almost like a tiered rule set.
In this KB again. There is no complex rule. There is just one subrule.
It is said that you should creat an "Include All (*)" Rule for Executables and then create a Subrule which defines the files/folders which shall be blocked. But even without the "Include All (*)" Rule I can create just a Subrule and it works as it should. The Subrule is getting triggered and the file blocked.
There is no sense in using that "Include All (*)" Rule. But I thught McAfee should know it better and would do it correctly in their recommendations. So is there any sense in using an "Include All (*)" Rule in camparison with not using it?
1 of 1 people found this helpful
When you add the * under Executables, then define a subrule to block the creation of *\Software\WanaCrypt0r key, what it means is that all processes are then restricted from creating this key.
If you do not define the * under Executables, it will imply that * instead (as you are seeing,) but in previous versions and in VSE, you HAD to define something in this field -- it wasn't implied.
This is the equivalent of "Processes to Include" field in VSE's Access Protection rules.
So no, you aren't required to put this * under Executables, but I would consider it best practice to avoid confusion in the future, since I don't know if this implied * is intended or a bug to be fixed later on.
Thank you for the explanation.