1 2 Previous Next 10 Replies Latest reply: Aug 16, 2013 12:23 PM by kickoutbettman RSS

    Need help with Common Standard Protection

    kickoutbettman

      Hello all,

       

      We're using ePO 4.6 with mcafee agent 4.8 and virus scan 8.8 patch 2.

       

      I have TONES of alerts in ePO comming from the Access Protection policy "Common Standard Protection" - "Prevent common programs from running files from the Temp folder"

       

      I have several cases that I know what software is causing this, but I'm trying to figure out a way to excluded these software from triggering these "errors"

       

      The 2 softwares in questions are GoToAssist from citrix and Lotus Notes Web client (used with Internet Explorer - iexplorer.exe)

      These are 2 software heavily used in our company (over 7000 nodes)

       

      As we speak, nothing is blocked since I'm in reporting mode but my event log is being killed by these 2 applications.

      Under I've excluded almost all the process I know from these 2 software, but I keep getting alerts.

       

      In both cases, the Threat Target File Path is always a DLL. So part of my question is, is there a way to exclude these DLL instead of the process itself that is using it (ususally iexplorer.exe that I definitly don't want to exclude)?

       

       

      Here's more information:

       

      Citrix GoToAssist

       

      Threat Source Process Name:C:\WINDOWS\Explorer.EXE
      Threat Target File Path:C:\Documents and Settings\clepageb\Local Settings\Temp\Citrix\GoToAssist Remote Support Customer\498\g2a140.tmp\g2ax_customer_resource_win32_x86_en_US_498.dll
      Event Category:'File' class or access
      Event ID:1095
      Threat Name:Common Standard Protection:Prevent common programs from running files from the Temp folder
      Threat Type:access protection
      Action Taken:would deny execute
      Threat Handled:true
      Analyzer Detection Method:OAS
      Event Description:Access Protection rule violation detected and NOT blocked

       

       

       

      Lotus Notes Web Client.

       

       

      Threat Source Process Name:C:\Program Files\Internet Explorer\IEXPLORE.EXE
      Threat Target File Path:C:\Documents and Settings\%username%\Local Settings\Temp\dwa8res_en.dll
      Event Category:'File' class or access
      Event ID:1095
      Threat Name:Common Standard Protection:Prevent common programs from running files from the Temp folder
      Threat Type:access protection
      Action Taken:would deny execute
      Threat Handled:true
      Analyzer Detection Method:OAS
      Event Description:Access Protection rule violation detected and NOT blocked

       

       

      Thanks for help

        • 1. Re: Need help with Common Standard Protection
          Manish KS

          Hi,

           

          The VSE AP rule which you are talking about is just enabled for report bydefault, if you don't wish to receive the alert/events you may just uncheck the "report" from AP rule.

           

          If you would like exclude the process name of IE and Lotusnotes, I am not sure that is going to work as these process are already included in this rule :

           

          eudora.exe, explorer.exe, firefox.exe, iexplore.exe, MAPISP32.exe, mozilla.exe, msimn.exe, msn6.exe, msnmsgr.exe, neo20.exe, netscp.exe, nlnotes.exe, opera.exe, outlook.exe, Owstimer.exe, packager.exe, pine.exe, poco.exe, RESRCMON.EXE, SPSNotific*, thebat.exe, thunde*.exe, VMIMB.EXE, WinMail.exe, winpm-32.exe, winrar.exe, winzip32.exe

           

          So possibly there is another way you may try is: remove the process name "iexplore.exe and nlnotes.exe" from the include list of this rule but again there is risk of doing it as the main source of threat is now a days IE via temp.

           

          Just for testing you may try it on one or two machine and see how to goes however I would suggest you to share the AP and OAS log from any one of the machine which is reporting more events, so we can have an idea on what to do next for exclusion and what should be excluded.

           

          Thanks,

          Manish.

           

          on 14/8/13 11:50:17 PM IST
          • 2. Re: Need help with Common Standard Protection
            kickoutbettman

            Thanks for your reply Manish,

             

            My ultimate goal (on long term) would be to use the option BLOCK on this rule not only REPORT on it.

            So, what I was thinking is by using the REPORT ONLY function, I would get "data" on a long run and I would be able to exclude the process in our environement that are "legit" and only get report data that would be usefull to me.

             

            So if I take uncheck the option REPORT, I will not be able to see other stuff that could be armfull.

             

            Basically, I think I will have to not report anymore on it, but I was looking to block these DLL, or whatever is calling these DLL, looks like we can't.

             

            Would excluding these files (*.exe files (citrix, notes....) from the On Access Default will help or you think the IEXPLORER.EXE is really the piece calling the DLLs?

             

            Thanks again for your quick help

            • 3. Re: Need help with Common Standard Protection
              kickoutbettman

              and here's one of the OAS log from one of the machine:

               

              8/14/2013          1:19:28 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           CACC\clepageb          C:\WINDOWS\Explorer.EXE          C:\Documents and Settings\clepageb\Local Settings\Temp\Citrix\GoToAssist Remote Support Customer\498\g2a140.tmp\g2ax_customer_resource_win32_x86_en_US_498.dll          Common Standard Protection:Prevent common programs from running files from the Temp folder          Action blocked : Execute

               

              You can repeat that line for 100 000 times and you'll get the complete log

              • 4. Re: Need help with Common Standard Protection
                Manish KS

                Hi

                 

                AP (Access Protection) and OAS ( On Access Scanner) both are two differnt component of Virus Scan Enterprise. The above log which you have given it seems from AP (Acces Protection) log so excluding the process in On Access Default will not help here as On Access Default belongs to OAS. Here you need to exclude the parent process name into the AP rule "Common Standard Protection" - "Prevent common programs from running files from the Temp folder".  According to above log the explorer.exe is the parent process. However I would request you to share complete log folder name"DesktopProtection" which contain the VSE logs so after reviewing I can suggest you any thing exactly along with the steps to exclude.

                 

                I don't think excluding the DLL will  help.

                 

                 

                Thanks,

                Manish.

                 

                on 15/8/13 12:58:18 AM IST
                • 5. Re: Need help with Common Standard Protection
                  kickoutbettman

                  how can I upload a zip file with the logs in?

                  • 6. Re: Need help with Common Standard Protection
                    Manish KS

                    I can see some of people have attached the zip file while replying. Not sure how they have done. However you can use any ftp link which you might have or you may also use google drive and share the logs. my email id is manish.manibabu@gmail.com

                    • 7. Re: Need help with Common Standard Protection
                      Manish KS

                      Thanks for sharing the logs. Looking into AP log found below:

                       

                      8/14/2013          1:16:08 PM          Would be blocked by Access Protection rule  (rule is currently not enforced)           CACC\clepageb          C:\WINDOWS\Explorer.EXE          C:\Documents and Settings\clepageb\Local Settings\Temp\Citrix\GoToAssist Remote Support Customer\498\g2a140.tmp\g2ax_customer_resource_win32_x86_en_US_498.dll          Common Standard Protection:Prevent common programs from running files from the Temp folder          Action blocked : Execute

                       

                      According to above log the process name explorer.exe is being detected by VSE AP rule "Common Standard Protection:Prevent common programs from running files from the Temp folder". If you wish VSE AP rule to do not block or report this application you need to create a new policy where you will be excluding the process. To do so you may refer the steps:

                       

                      -Log in to ePo console

                      -Menu>Policy>Policy Calog

                      -Click on Product dropdown list and select VSE 8.x and click on Category dropdown list and select Access Protection Policies

                      -Select My Default and Duplicate it> Give a name for tis policy (e.g. Do not report or block GotoAssist) and click OK

                      -The policy will be listed in the page

                      -Just click on policy name "Do not report or block GotoAssist"

                      -Select Settings for: Workstation or server (If you wish to apply this policy to server OS you need to select Server or If you wish to apply to Workstation you need to select Workstation)

                      -Down you will see Access Protection Rules: Box

                      -From that box select "Common Standard Protection"

                      -Right hand side you will see another box which will have all the AP rules which relates to Standard common protection rule

                      -Select "Common programs from running files from the temp folder" and click on edit

                      -You will see three boxes out of that you will see down one "processes to exclude" type there the process name which you want exclude explorer.exe

                      - If you want you can use wild card as well with process name. ( To know how to use wild card : http://kc.mcafee.com/corporate/index?page=content&id=KB54812 )

                      -Click on OK and Save

                      -Now the AP rule is created but not assigned to any machine

                       

                      -I would suggest you to please assign this rule to any one machine and reproduce the issue and test it.

                       

                      To assign the rule to single machine:

                       

                      -Go to Menu>Systems>System tree and select a machine on which you want to test it

                      -Click on Action>Agent>Modify policy on a single system

                      -Select Product VirusScan Enterprise 8.8.0

                      -find Access protection policies > select it and click on Edit Assignment

                      -Select "Break inheritance and assign the policy and settings below"

                      -Assigned policy: Select the created policy name "Do not report or block Goto Assist" and save it.

                      -Close the page and send an agent wake up call to that machine and make sure the policy is enforced.

                       

                       

                       

                      Thanks

                      Manish.

                      • 8. Re: Need help with Common Standard Protection
                        JoeBidgood

                        If you need to attach files to a post, if you click on the "use advanced editor" option, then you'll see the option to attach files.

                         

                        HTH -

                         

                        Joe

                        • 9. Re: Need help with Common Standard Protection
                          kickoutbettman

                          Thanks for the tip

                          1 2 Previous Next