4 Replies Latest reply on Apr 28, 2010 11:25 AM by ghislaine.balifi

    How to define a specific program as an unwanted program on Epo server

      Hello,

       

      I'm testing user-defined unwanted program detection.

      On my Epo server console, what should I enter under Assigned Policies/VirusScan Enterprise 8.7.0/Unwanted Programs Policies/User-defined Items ?

       

      I have activated detection of unwanted programs in my on-access scanner configuration and decided to "Deny access to files" when unwanted programs is detected.

       

      I have tried to enter the names of my unwanted programs(ex: WinZip, MSN Messenger 7.0 ) as defined in Add/Remove program of my computer under Assigned Policies/VirusScan Enterprise 8.7.0/Unwanted Programs Policies/User-defined Items ;  but my unwanted programs are not blocked ; I can always launch them.

       

      Could you help me define a program installed on my computer (ex: Winzip, MSN Messenger 7.0) as a user-defined unwanted program on my ePO console ?

       

       

      Regards

      Ghisaline

        • 1. Re: How to define a specific program as an unwanted program on Epo server
          MMixer

          Theres two areas i think you would need to check, as an example I've stopped the google earth installer

          So on orchestrator 4.0  under VirusScan Enterprise 8.5.0 > Unwanted Programs Policies > Your Policy

          I have a user defined item googleupdatesetup.exe

          On VirusScan Enterprise 8.5.0 > Unwanted Programs Policies > Your Policy

          Scan items - I think Other Potentially Unwanted Programs needs to be ticked

           

          Next open your VirusScan Enterprise 8.5.0 > On-Access Default Processes Policies > Your Policy

          And check that scan items - Unwanted programs detection is ticked 

           

          Then on the test machine open EPO agent status mon and hit check new policys & enforce new policys

          Then try running your exe

          1 of 1 people found this helpful
          • 2. Re: How to define a specific program as an unwanted program on Epo server

            Hello MMixer,

             

            If I understand well, if I want to block installation of a file , I have to enter user-defined item which corresponds to the name of the setup file under VirusScan Enterprise  > Unwanted Programs Policies > Your Policy.  Is it right?

             

            1- What happens if user change the name Google update setup file before launching it?  Is installation been always blocked?

             

            2- What happens if the name of  the setup file of my unwanted program is just setup.exe? Where (ex: a generic path) should I look for the name of the file that I have to enter as user-defined item. For example if I want to block itunes  or skype installation ?

             

            3- is it also possible to block, with this method, an unwanted program which is already installed ? if yes , what user-defined item should I enter since in this case the purpose is not to block installation of a program but avoid launching an  unwanted-program already installed

             

             

            Thanks

            Ghislaine

            • 3. Re: How to define a specific program as an unwanted program on Epo server
              MMixer

              I dont think its that clever

              I think it just goes by name so would need two rules for the setup program & app

              And there would be issues with different apps all using setup.exe

               

              Another option if you've licenced for it would be to run Mcafee host intrusion Protection HIPS

              There you can setup app blocking with "fingerprinting" which captures the MD5 code of the application

              Then even if the exe was renamed it would still be blocked

              And multiple setup.exe's all carry there own code

              • 4. Re: How to define a specific program as an unwanted program on Epo server

                Thanks for this information.

                 

                I will try also  HIPS with "fingerprinting".

                 

                Regards

                Ghislaine