5 Replies Latest reply on Aug 27, 2014 10:48 AM by NMaurMcAfee

    Access Protection Rule Reporting

    drshoe28

      Hello,

       

      Currently we have our access protection policy set to only report - not block - any .EXE file running from AppData.

      This is working out really well for us because we can see what files we may need to block and which we can continue to run.

      Unfortunately we are being blasted with notifications from "trusted" applications and they are keeping our logs full.

      Ultimately, I'd like to create a rule to say "report all .EXE files running from AppData except for these: yada-yada.exe , this-n-that.exe , and so on and so forth.

       

      Does anyone know how I can do this? I cannot seem to find it anywhere in ePO.


      Thank you!

        • 1. Re: Access Protection Rule Reporting
          NMaurMcAfee

          Can you supply a screen shot of your rule?

           

          ccreate a standard query with base filters:

          Threat name=name of rule

          Threat target file path does not contain= yada-yada.exe

           

          just remember exclusions are based off of executing process (threat source process name)

          • 2. Re: Access Protection Rule Reporting
            drshoe28

            Here's the screenshot.

            ePO.PNG

            I know that the query could eliminate the visibility, but I'm looking to actually free up space because there are so many reports generated.

            • 3. Re: Access Protection Rule Reporting
              NMaurMcAfee

              Select the Block EXE rule and open the details, add a screen shot of that.

               

              Next step would be to see what processes are actually triggering the rule.

               

              Create a single group summary table query.

              Use filters:

              Threat Name= User-Defined Rules:Block EXE from AppData

              Group by threat source process name. This will show you which programs are creating the most events. Also add that screen shot.

              • 4. Re: Access Protection Rule Reporting
                drshoe28

                The attachment for the block *.EXE

                :ePO Exceptions.PNG

                And a screenshot of the filter...

                AppData.PNG

                And some copy&paste of the Threat Target Path File:

                C:\Users\jgl\AppData\Local\Citrix\GoToMeeting\1312\g2mupdate.exe

                C:\Users\pls\AppData\Local\Google\Update\GoogleUpdate.exe

                C:\Users\kdn\AppData\Local\Citrix\GOTOMEETING\1558\g2minstaller.exe

                C:\Users\cam\AppData\Roaming\Dropbox\bin\Dropbox.exe

                • 5. Re: Access Protection Rule Reporting
                  NMaurMcAfee

                  The way the rule read is: Prevent all exe files from being created\executed in AppData directory except if the process attempting the action is program x (x being the threat source process).

                  It does NOT read: Prevent all exe files from being created\executed in AppData directory except if the file being created is file x (x being the target file).

                   

                  I think you're getting a lot of hits for a few reasons.

                  1. You're using a variable to cover all subfolders. Typically it's only recommended to prevent creation of executables in the root of appdata, or the root of a subgroup of appdata (ex roaming, local, locallow).  The rule looks like: **\AppData\*.exe and **\AppData\*\*.exe
                  2. You can try unchecking read\write (if not you may want to add mcafee processes mcshield.exe, scan32.exe, scan64.exe as exclusions.
                  3. Lastly, if you still want to keep the directory exclusion the same which would cover all subdirectories of appdata I would recommend using **\AppData\**.exe instead of **\AppData\**\*.exe because the way you have it listed doesn't prevent executables from being created is the root of appdata.