Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
917 Views 5 Replies Latest reply: Apr 20, 2013 12:08 AM by petersimmons RSS
splash Newcomer 34 posts since
Nov 16, 2010
Currently Being Moderated

Sep 26, 2012 6:18 AM

Webinar installers & Anti-spyware maximum protection enabled

Hi

 

We're running Windows 7 pro x64 with VSE 8.8 and the users do no have local admin rights.

 

In the last couple of years ive had to tighten the level of protection we have, as our users were getting malware from web sites without realising! So with this in mind i enabled Anti-spyware Maximum Protection:Prevent all programs from running files from the Temp folder, this sorted out the malware problem, but the downside to this is occassionally our users will have to join a webinar (webex or goto meeting) the VSE blocks it.

 

Ive tried in the past to put exceptions in the ePO Access Protection Policy to allow Citrix Online Launcher.exe, G2MCoreInstExtractor.exe, g2m_download*.exe and then push out the settings but still the AV is blocking this.


Surely im not alone with this problem, what do you guys do to allow the webinar software to run?

 

Thanks

  • pwolfe Newcomer 52 posts since
    Jan 22, 2009

    Did you ever get a Resolve for this...I have fought this issue as well...

  • wwarren McAfee SME 766 posts since
    Nov 3, 2009

    This requires functionality that VSE does not have; at least, it's not exposed in the UI. You should submit a PER.

    If you want to pursue a custom solution, wherein you get a customized Access Protection rule file that has the flexibility to do what you're seeking, you could reach out to our Professional Services team via your Sales contact.

     

    The rule in question is designed to block any program from executing code out of a folder that has TEMP in the name.

    You could get it to work by excluding the browser process name - but then what would be the point of having the rule On.

     

    Excluding the process you want to run doesn't/won't help; the exclusion needs to be for the process that's doing the launching - and in this case, it's your browser that's launching those files.

  • pwolfe Newcomer 52 posts since
    Jan 22, 2009

    Well thats unfortunate.........As in a typical environment....most of our users are "Standard Users". They do not have the ability / permission to Disable Access rules temporarily. So in turn, I either have to not use Access rules, or give users: POWER USER or Admin rights? Hmmm....Not verry appealing....

     

    So what you are saying is that I need to contact McAfee and possibly spend more money for a custom solution? That would be unfortunate....if the case...maybe it wont cost...I am just not familiar in doing so....Either way it seems from your comment that it is a common issue.

     

    So I guess I am left contacting McAfee for more details or Disabling good functionality.

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hi pwolfe,

     

    please allow me to give some advice, maybe it proves helpful: if you cannot use the AP rule allowing your particular processes and blocking others, you perhaps could then stop using that rule to block apps from running in the Temp folder and instead enable other AP rules that would block processes from doing u nwanted things in a later stage at other entry points: these rule include browser protection and autorun prevention, maybe device driver installation.

     

    I consider these actions to be more characteristic signs of malware and theses rules enable differentiating between processes in terms of which to allow and which not.

     

    Attila

  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009

    Ultimately this rule is probably not acceptable for 99% of end user desktops. Sure, it stops a lot of bad things. But there are plenty of rules within Access Protection that are there for emergencies or suspected infections. I don't think it is reasonable to be able to turn them all on. I applaud you for the attempt, but this particular rule is probably one that isn't workable for the reasons you've outlined here.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points