1 Reply Latest reply on Mar 15, 2010 10:50 PM by rmetzger

    Really weird request , but need some assitance......

    rphillips

      Hi guys,

       

      I have a dilema. I need to intentionally mess up a OS.

       

      I need to push a policy in McAfee ePO to disable a XP machine on the Down Low. I need to do this so that the Remote person using the Laptop/Desktop will call Support and support will then have them send in there equipment. We need this done so that we can perform forensics on the Drive and then send it back out to the person without them knowing that we ( security Team ) looked over there drive. Yes the equipment belongs to us. ( The Company)

       

      What i have tried so far.

       

      I created a policy that said ntldr and ntdetect were unwanted programs and to delete them. Well it did delete them but they came right back. Im assuming that is because they are protected files within windows.

       

      I tried the same with explorer.exe but that didnt work at all.

       

      I then tried blocking read/write access to the c:\Documents and Settings\userprofile

       

      this worked sorta, it basically removed the start button and the start menu was blank all together when you hit the Windows Key on the Keyboard, this could work.

       

      Im looking for other ideas of files that may not be protected that can be deleted that will render the computer useless to the user but also easily fixable one here at support.

       

      I am using the McAfee e Policy Orchestrator 4.5 to push down these policies.

       

      I am open to any and all suggestions.

       

      FYI

       

      Thanks

       

      Brad

        • 1. Re: Really weird request , but need some assitance......
          rmetzger

          Force Patch 3 on to the system AND

          Enable  the Access Protection rule
          1. Click StartPrograms, McAfee, VirusScan  Console.
          2. Right-click Access  Protection and select Properties.
          3. Select   Anti-virus Standard Protection.
          4. Select   Prevent Windows Process spoofing and Select the Block option. Optionally, deselect the Report option but  this can remain enabled.
          5. Click OK.

           

          This will possibly stop Explorer from running after the next reboot.

           

          Mcafee has released a KB for this = > KB68448

           

           

          Explorer.exe  fails to load after installing Patch 3 for VirusScan Enterprise 8.7i

           

          Problem

          After  installing VirusScan Enterprise (VSE) 8.7i Patch 3 and restarting the  computer, the desktop will not display.

           

          Windows task manager shows that Explorer.exe is not running.

           

          System Change

          Installed  Patch 3 for VSE 8.7i and restarted computer.

          Cause

          The Access  Protection rule Standard Protection: Prevent Windows Process  spoofing is enabled and configured to Block.

           

          This issue has  been reported for the Explorer.exe process. Other  Windows processes might also be affected.

          Solution

          McAfee  is investigating this issue. As a temporary measure, implement the  workaround shown below.

           


          NOTE: For environments that must have this Access Protection Rule enabled and  set to Block, McAfee is working on a hotfix. When the hotfix is  available, it will be attached to this article.

           

          To receive email notification when  this article is updated, click Subscribe at the top of  the page. (You must be logged in at https://mysupport.mcafee.com to subscribe.)

          Workaround

          Disable  the Access Protection rule
          1. Click StartPrograms, McAfee, VirusScan  Console.
          2. Right-click Access  Protection and select Properties.
          3. Select  Anti-virus Standard Protection.
          4. Select  Prevent Windows Process spoofing and deselect the Block option. Optionally, deselect the Report option but  this can remain enabled.
          5. Click OK.

           

          Good luck.

          Ron Metzger