Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1272 Views 10 Replies Latest reply: Aug 16, 2013 12:23 PM by kickoutbettman RSS 1 2 Previous Next
kickoutbettman Newcomer 14 posts since
Jan 10, 2012
Currently Being Moderated

Aug 14, 2013 12:40 PM

Need help with Common Standard Protection

Hello all,

 

We're using ePO 4.6 with mcafee agent 4.8 and virus scan 8.8 patch 2.

 

I have TONES of alerts in ePO comming from the Access Protection policy "Common Standard Protection" - "Prevent common programs from running files from the Temp folder"

 

I have several cases that I know what software is causing this, but I'm trying to figure out a way to excluded these software from triggering these "errors"

 

The 2 softwares in questions are GoToAssist from citrix and Lotus Notes Web client (used with Internet Explorer - iexplorer.exe)

These are 2 software heavily used in our company (over 7000 nodes)

 

As we speak, nothing is blocked since I'm in reporting mode but my event log is being killed by these 2 applications.

Under I've excluded almost all the process I know from these 2 software, but I keep getting alerts.

 

In both cases, the Threat Target File Path is always a DLL. So part of my question is, is there a way to exclude these DLL instead of the process itself that is using it (ususally iexplorer.exe that I definitly don't want to exclude)?

 

 

Here's more information:

 

Citrix GoToAssist

 

Threat Source Process Name:C:\WINDOWS\Explorer.EXE
Threat Target File Path:C:\Documents and Settings\clepageb\Local Settings\Temp\Citrix\GoToAssist Remote Support Customer\498\g2a140.tmp\g2ax_customer_resource_win32_x86_en_US_498.dll
Event Category:'File' class or access
Event ID:1095
Threat Name:Common Standard Protection:Prevent common programs from running files from the Temp folder
Threat Type:access protection
Action Taken:would deny execute
Threat Handled:true
Analyzer Detection Method:OAS
Event Description:Access Protection rule violation detected and NOT blocked

 

 

 

Lotus Notes Web Client.

 

 

Threat Source Process Name:C:\Program Files\Internet Explorer\IEXPLORE.EXE
Threat Target File Path:C:\Documents and Settings\%username%\Local Settings\Temp\dwa8res_en.dll
Event Category:'File' class or access
Event ID:1095
Threat Name:Common Standard Protection:Prevent common programs from running files from the Temp folder
Threat Type:access protection
Action Taken:would deny execute
Threat Handled:true
Analyzer Detection Method:OAS
Event Description:Access Protection rule violation detected and NOT blocked

 

 

Thanks for help

  • Manish KS The Place at McAfee Member 37 posts since
    Dec 25, 2012
    Currently Being Moderated
    1. Aug 14, 2013 1:20 PM (in response to kickoutbettman)
    Re: Need help with Common Standard Protection

    Hi,

     

    The VSE AP rule which you are talking about is just enabled for report bydefault, if you don't wish to receive the alert/events you may just uncheck the "report" from AP rule.

     

    If you would like exclude the process name of IE and Lotusnotes, I am not sure that is going to work as these process are already included in this rule :

     

    eudora.exe, explorer.exe, firefox.exe, iexplore.exe, MAPISP32.exe, mozilla.exe, msimn.exe, msn6.exe, msnmsgr.exe, neo20.exe, netscp.exe, nlnotes.exe, opera.exe, outlook.exe, Owstimer.exe, packager.exe, pine.exe, poco.exe, RESRCMON.EXE, SPSNotific*, thebat.exe, thunde*.exe, VMIMB.EXE, WinMail.exe, winpm-32.exe, winrar.exe, winzip32.exe

     

    So possibly there is another way you may try is: remove the process name "iexplore.exe and nlnotes.exe" from the include list of this rule but again there is risk of doing it as the main source of threat is now a days IE via temp.

     

    Just for testing you may try it on one or two machine and see how to goes however I would suggest you to share the AP and OAS log from any one of the machine which is reporting more events, so we can have an idea on what to do next for exclusion and what should be excluded.

     

    Thanks,

    Manish.

     

    on 14/8/13 11:50:17 PM IST

    Thanks,

    Manish





  • Manish KS The Place at McAfee Member 37 posts since
    Dec 25, 2012
    Currently Being Moderated
    4. Aug 14, 2013 2:28 PM (in response to kickoutbettman)
    Re: Need help with Common Standard Protection

    Hi

     

    AP (Access Protection) and OAS ( On Access Scanner) both are two differnt component of Virus Scan Enterprise. The above log which you have given it seems from AP (Acces Protection) log so excluding the process in On Access Default will not help here as On Access Default belongs to OAS. Here you need to exclude the parent process name into the AP rule "Common Standard Protection" - "Prevent common programs from running files from the Temp folder".  According to above log the explorer.exe is the parent process. However I would request you to share complete log folder name"DesktopProtection" which contain the VSE logs so after reviewing I can suggest you any thing exactly along with the steps to exclude.

     

    I don't think excluding the DLL will  help.

     

     

    Thanks,

    Manish.

     

    on 15/8/13 12:58:18 AM IST

    Thanks,

    Manish





  • Manish KS The Place at McAfee Member 37 posts since
    Dec 25, 2012
    Currently Being Moderated
    6. Aug 15, 2013 12:04 PM (in response to kickoutbettman)
    Re: Need help with Common Standard Protection

    I can see some of people have attached the zip file while replying. Not sure how they have done. However you can use any ftp link which you might have or you may also use google drive and share the logs. my email id is manish.manibabu@gmail.com


    Thanks,

    Manish





  • Manish KS The Place at McAfee Member 37 posts since
    Dec 25, 2012
    Currently Being Moderated
    7. Aug 16, 2013 9:46 AM (in response to kickoutbettman)
    Re: Need help with Common Standard Protection

    Thanks for sharing the logs. Looking into AP log found below:

     

    8/14/2013          1:16:08 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           CACC\clepageb          C:\WINDOWS\Explorer.EXE          C:\Documents and Settings\clepageb\Local Settings\Temp\Citrix\GoToAssist Remote Support Customer\498\g2a140.tmp\g2ax_customer_resource_win32_x86_en_US_498.dll          Common Standard Protection:Prevent common programs from running files from the Temp folder          Action blocked : Execute

     

    According to above log the process name explorer.exe is being detected by VSE AP rule "Common Standard Protection:Prevent common programs from running files from the Temp folder". If you wish VSE AP rule to do not block or report this application you need to create a new policy where you will be excluding the process. To do so you may refer the steps:

     

    -Log in to ePo console

    -Menu>Policy>Policy Calog

    -Click on Product dropdown list and select VSE 8.x and click on Category dropdown list and select Access Protection Policies

    -Select My Default and Duplicate it> Give a name for tis policy (e.g. Do not report or block GotoAssist) and click OK

    -The policy will be listed in the page

    -Just click on policy name "Do not report or block GotoAssist"

    -Select Settings for: Workstation or server (If you wish to apply this policy to server OS you need to select Server or If you wish to apply to Workstation you need to select Workstation)

    -Down you will see Access Protection Rules: Box

    -From that box select "Common Standard Protection"

    -Right hand side you will see another box which will have all the AP rules which relates to Standard common protection rule

    -Select "Common programs from running files from the temp folder" and click on edit

    -You will see three boxes out of that you will see down one "processes to exclude" type there the process name which you want exclude explorer.exe

    - If you want you can use wild card as well with process name. ( To know how to use wild card : http://kc.mcafee.com/corporate/index?page=content&id=KB54812 )

    -Click on OK and Save

    -Now the AP rule is created but not assigned to any machine

     

    -I would suggest you to please assign this rule to any one machine and reproduce the issue and test it.

     

    To assign the rule to single machine:

     

    -Go to Menu>Systems>System tree and select a machine on which you want to test it

    -Click on Action>Agent>Modify policy on a single system

    -Select Product VirusScan Enterprise 8.8.0

    -find Access protection policies > select it and click on Edit Assignment

    -Select "Break inheritance and assign the policy and settings below"

    -Assigned policy: Select the created policy name "Do not report or block Goto Assist" and save it.

    -Close the page and send an agent wake up call to that machine and make sure the policy is enforced.

     

     

     

    Thanks

    Manish.


    Thanks,

    Manish





  • JoeBidgood McAfee SME 2,868 posts since
    Sep 11, 2009
    Currently Being Moderated
    8. Aug 16, 2013 10:03 AM (in response to Manish KS)
    Re: Need help with Common Standard Protection

    If you need to attach files to a post, if you click on the "use advanced editor" option, then you'll see the option to attach files.

     

    HTH -

     

    Joe




    (Please post questions to the forum, as I am unable to respond to private messages. Thanks!)



1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points