1 Reply Latest reply on Apr 5, 2011 2:02 AM by Attila Polinger

    Question regarding Access Protection exceptions

    ottawa_tech_31

      I'm trying to understand specific (default) exceptions, and a behaviour of AP. This isn't so much an issue, as I a, trying to understand WHY things are the way they are...

       

      In AP, you can set that Mcafee processes, files and settings are protected, and can't be stopped and are protected from being modified.

       

      But there are specific many exceptions there, including (for example) winlogon.exe...

       

      But that just looks at the process name, not the path...

       

      The proper winlogon.exe is in c:\windows\system32\

       

      So if a piece of malware dropped a rogue executable called "winlogon.exe, say in c:\program files\stuff\, and that executable was called by another one (or added to autorun), once that executable is started, could it not stop Virusscan services?

       

      Isn't the large amount of exceptions that are there by default a security risk? Are there any processes that, even though they are included in the defaults, that should be removed?

        • 1. Re: Question regarding Access Protection exceptions
          Attila Polinger

          Hello,

           

          But that just looks at the process name, not the path...

           

          You can enter exception file names with full path and will work.

           

          So if a piece of malware dropped a rogue executable called "winlogon.exe, say in c:\program files\stuff\, and that executable was called by another one (or added to autorun), once that executable is started, could it not stop Virusscan services?

           

          Virusscan services normally cannot be stopped other than other VirusScan - related processes, this cannot be excluded, since this is not regulated by an AP rule but by a checkbox "Prevent McAfee services from being stopped".

          The other two scenarios that you mentioned are really regulated by AP rules.

           

          Isn't the large amount of exceptions that are there by default a security risk? Are there any processes that, even though they are included in the defaults, that should be removed?

           

          I think you (and we) can remove exceptions that we think we do not need and create a so configured custom Virusscan install package. In my opinon they are there by default to allow for excluding the most commonly found program names that are legitim and could be hindered by the respective AP rule. Obviously, whichever is not needed by any user, they can remove them from the list.

           

          I think a further seurity measure could be to add their full path (or short path) to them so they are never mistaken with another same named process, but it's at the user's discretion.

           

          Attila