1 Reply Latest reply on Sep 12, 2014 6:06 PM by needa

    Access Protection does not block http

    needa

      I have a clean w7 32bit system with VSE 8.8 installed. I have enabled the access protection HTTP/FTP blocking option. Both the block and reporting boxes are checked. The system has the policy and verified by viewing the AP properties on the endpoint. Other options, such as custom file R/W blocking is working in the same policy. I have rebooted the system and still no http blocking.

       

      Why does HTTP blocking not work? How does it block, simple port 80/443/22 blocking, or something better?

       

      VSE 8.8 5600.1067

      AP DAT 659

      Patch 4

      ePO 5.1 509

        • 1. Re: Access Protection does not block http
          needa

          From a Ben Andrew white paper.... Basically this blocking was meant for process outside of browser that are using port 80 to download or upload content.

           

          “Prevent HTTP communication”

          Many spyware, adware, and Trojan programs use port 80 for software downloads, bundled components,

          or updates. This rule will prevent any service (using svchost.exe) from communicating over port 80. This

          would stop common spyware and adware delivery mechanisms. Some server software uses port 80,

          although this isn’t common in desktops.

          This rule will block all HTTP communication for processes not in the exclusions list. Like FTP traffic, HTTP

          traffic is used by many applications to retrieve or transmit data. Spyware, adware, and Trojans also

          commonly use HTTP communication for software downloads of third-party components or updates.

          There are also many legitimate reasons for processes to communicate via HTTP. Many applications use

          a registration or self-update procedure that communicates over HTTP. Without the process being listed

          in the exclusions list, the traffic would be blocked; therefore, McAfee strongly recommends a thorough

          test and review cycle before enabling this rule.

          Intention: Many Trojans download scripts or other Trojans from websites controlled by the Trojan’s

          author. For example, http://vil.nai.com/vil/content/v_100487.htm. By blocking this communication,

          even if a system becomes infected with a new unknown Trojan it will be unable to download further

          malicious code.

          Risks: HTTP is a very widely used protocol. While we have included popular web browsers in the

          exclusion list, there may be many programs you may need to add based on your particular environment.

          ID and name in Host IPS:

          There is no corresponding signature in Host IPS.