I am following on from a discussion on this thread: https://community.mcafee.com/message/205950#205950
We've currently got 68 computers all running the McAfee SaaS Endpoint Protection Advanced service, with users in Singapore, Australia, USA, Hong Kong and Dubai. We set the policy for our users to 'Protect' which blocks all suspicious network activity and then 'eventually' notifies us in the McAfee TOPS control panel that an unrecognized program was blocked. We use the protect mode so that 'non IT' staff members don't have to decide what to block or allow. We originally had it set to prompt, but as expected, users were just hitting the allow button even if the program was a threat, which then resulted in the machine being comprimised and then IT support would need to fix, so heaps of man hours wasted there.
Getting to the crux of the problem...
We run a LOB application that is going to be used by every single user in the company. As we found out yesterday, when installing this application onto a 'general user' machine using the protect mode policy, by default, McAfee will block that application from working. The method for allowing this application is to go into the McAfee TOPS control panel, find the application, allow it, wait 4 hours, then the policy update will be pushed to all the users under the protect policy, then the users can use the application. Yes, we realise that we can right click on the McAfee icon in the system tray, then 'update now', but on 68 machines in different time zones...really??
Here is the problem... allowing/unblocking the application will work in the first version release (i.e. version 220.127.116.11), but, if we update the application (version 18.104.22.168), redeploy it to the server, user starts the old version application, new version gets downloaded, then restarted, McAfee decides that this is yet again an unrecognized program (which its not), and blocks it from working, putting the responsibility on IT support to start the whole allow unrecognized program process again, wait 4 hours, etc etc before the user can use the updated version. Just FYI, that 4 hours is on the provision that the Unrecognized Programs list gets updated quickly. After speaking with another colleague working in our IT dept., he said some applications have taken 24/48 hours even up to a week to appear in the Unrecognized Programs list which is just crazy.
So, I sent a help desk request last night, and I can pretty much expect that whoever gets back to me will say, oh just set your policy to Report or Prompt mode and that will allow the application through. Wrong answer!
We are on protect mode to do just that...protect the user. Give us the ability to add an EXE file to the 'allow' list then push the policy update through to the end users. If you are using something like an MD5 hash method to ID the EXE file, give us the ability to add that hash code plus the application EXE name to the 'allow' list ahead of time, that way our staff won't have the application blocked on update. That would allow us to be pro-active rather than the current method of reactive. If you are using some other proprietary software for generating the EXE fingerprint, add this function to the McAfee TOPS control panel, allowing us to 'browse' to the EXE file prior to deployment, so that the McAfee database can be updated with the EXE file + fingerprint, but again, we still need to be able to push the policy update through instead of waiting the minimum 4 hours.
It was interesting to note that after pressing the submit button from the McAfee TOPS control panel > Help & Support > Contact Technical Support, just before pressing submit the second time (confirmation), a page was displayed asking if the problem I was having was in the list of FAQ's. The very first item was about manually allowing/adding an EXE file to access the internet, but this was only for the desktop version of McAfee, so what the SaaS product has done, is remove one of key features that allowed administrators to pro-actively allow a known EXE file before running it.
Over to you guys...