2 Replies Latest reply on Feb 18, 2014 11:27 PM by ckundapu

    Stop updated LOB applications getting blocked

    tgphillsy

      I am following on from a discussion on this thread: https://community.mcafee.com/message/205950#205950

       

      We've currently got 68 computers all running the McAfee SaaS Endpoint Protection Advanced service, with users in Singapore, Australia, USA, Hong Kong and Dubai.  We set the policy for our users to 'Protect' which blocks all suspicious network activity and then 'eventually' notifies us in the McAfee TOPS control panel that an unrecognized program was blocked.  We use the protect mode so that 'non IT' staff members don't have to decide what to block or allow.  We originally had it set to prompt, but as expected, users were just hitting the allow button even if the program was a threat, which then resulted in the machine being comprimised and then IT support would need to fix, so heaps of man hours wasted there.

       

      Getting to the crux of the problem...

       

      We run a LOB application that is going to be used by every single user in the company.  As we found out yesterday, when installing this application onto a 'general user' machine using the protect mode policy, by default, McAfee will block that application from working.  The method for allowing this application is to go into the McAfee TOPS control panel, find the application, allow it, wait 4 hours, then the policy update will be pushed to all the users under the protect policy, then the users can use the application.  Yes, we realise that we can right click on the McAfee icon in the system tray, then 'update now', but on 68 machines in different time zones...really??

       

      Here is the problem... allowing/unblocking the application will work in the first version release (i.e. version 1.0.0.0), but, if we update the application (version 1.0.0.1), redeploy it to the server, user starts the old version application, new version gets downloaded, then restarted, McAfee decides that this is yet again an unrecognized program (which its not), and blocks it from working, putting the responsibility on IT support to start the whole allow unrecognized program process again, wait 4 hours, etc etc  before the user can use the updated version.  Just FYI, that 4 hours is on the provision that the Unrecognized Programs list gets updated quickly.  After speaking with another colleague working in our IT dept., he said some applications have taken 24/48 hours even up to a week to appear in the Unrecognized Programs list which is just crazy.

       

      So, I sent a help desk request last night, and I can pretty much expect that whoever gets back to me will say, oh just set your policy to Report or Prompt mode and that will allow the application through.   Wrong answer!

      We are on protect mode to do just that...protect the user.  Give us the ability to add an EXE file to the 'allow' list then push the policy update through to the end users.  If you are using something like an MD5 hash method to ID the EXE file, give us the ability to add that hash code plus the application EXE name to the 'allow' list ahead of time, that way our staff won't have the application blocked on update.  That would allow us to be pro-active rather than the current method of reactive.  If you are using some other proprietary software for generating the EXE fingerprint, add this function to the McAfee TOPS control panel, allowing us to 'browse' to the EXE file prior to deployment, so that the McAfee database can be updated with the EXE file + fingerprint, but again, we still need to be able to push the policy update through instead of waiting the minimum 4 hours.

       

      It was interesting to note that after pressing the submit button from the McAfee TOPS control panel > Help & Support > Contact Technical Support, just before pressing submit the second time (confirmation), a page was displayed asking if the problem I was having was in the list of FAQ's.  The very first item was about manually allowing/adding an EXE file to access the internet, but this was only for the desktop version of McAfee, so what the SaaS product has done, is remove one of key features that allowed administrators to pro-actively allow a known EXE file before running it.

       

      Over to you guys...

        • 1. Re: Stop updated LOB applications getting blocked
          ittea

          This so needs sorting. This is exactly the issue we have as well and its so annoying. And it's not just the in house applications, everytime we have a windows update theres always something that needs to be "re-allowed" but it takes an age (hours/days) to appear in "Unrecognized Programs" , and 9 times out of 10 OUTLOOK will be one of the blocked programs. SO ANNOYING...

          It would be so much better for all if we did have a feature as mentioned by tgphillsy. we are spending over £15k every 3 years for this product (200+ users) surely at that price you would expect something. you all ready have it as an addon for epo - "Application Control ", why cant we have it for Saas.

           

          Again.... Over to you guys

          • 2. Re: Stop updated LOB applications getting blocked
            ckundapu

            Hello,

             

            To prevent any legitimate applications from being blocked, we are working on a more Robust GTI signature based Firewall system which will drastically bring down the "False Positives" that you are currently observing . This will be a part of our next version of end point security which will be released as an upgrade in 2nd Quarter 2014

             

            Meanwhile, I will look into the delayed reporting of applications appearing in "Unrecognized Programs" that you mentioned .

             

            Thanks for your time in providing this feedback

             

             

            Thanks

            Chandan Kundapur

            Product Management

            SaaS End Point Protection