2 Replies Latest reply on Jan 3, 2011 6:11 PM by mjmurra

    access protection redesigned

    Dvanmeter

      I hope in newer version Mcafee redesignes the access protection rules.  This feature is what I feel gives corporate environment some leverage with Malware.  We have caught zero day malware with the port blocking,  prevented infections with the file block, reg block feature, etc.

       

      One thing I wish they would add though is the ability to block a file based on hash.  with the growing number of virus that use random name generators blocking based on name just isnt good enough anymore. Even better, add a utility in mcafee to give you a hash of a file that I could then copy paste in EPO access protection rule.

       

        I also think it would be nice if a simple rule wizard was implemented that allowed for a single rule that contained if file name = contains does not contain  (and or port) = then block the following files or ports or reg keys and call this Fake Alert Zero Day.  This way a rule can be a little more detailed on how it is to worked based on several different criterias.  Hope that makes sense.

       

      Anyone Else got any thoughts on this?

        • 1. Re: access protection redesigned
          rmetzger

          Dvanmeter wrote:

           

          I hope in newer version Mcafee redesignes the access protection rules.  This feature is what I feel gives corporate environment some leverage with Malware.  We have caught zero day malware with the port blocking,  prevented infections with the file block, reg block feature, etc.

           

          One thing I wish they would add though is the ability to block a file based on hash.  with the growing number of virus that use random name generators blocking based on name just isnt good enough anymore. Even better, add a utility in mcafee to give you a hash of a file that I could then copy paste in EPO access protection rul

          Agreed. This is crucial (Hash blocking) to blocking not only zero-day threats but also, PUPs that I want to block that users simply rename to get around a rule. This would greatly enhance my ability to stop unauthorized software from being installed (not necessarily a McAfee defined PUP but one that my company does not allow for legal reasons, productivity, etc.)

           

          Ron Metzger

          • 2. Re: access protection redesigned

            As the AP module is based (partially) on technology from HIP, the fact that HIP8 now has hash blocking could mean that it ends up in VSE. But the usual arguement may get bandied around by McAfee : VSE isn't designed for Application Control - install HIP for this purpose.