2 Replies Latest reply on Mar 23, 2015 1:03 PM by wwarren

    Access protection logging

    mr.townsend83

      Recently we have been attempting to help users with a wide variety of application issues ie: a java applet that suddenly would not run, a connection to the companies VPN or other oddities. When we go through all other troubleshooting, we notice that the only clue or mention of anything that that the user is experiencing is located in the accessprotection logs VSE 8.8. These are showing warnings but there is a serious correlation on the timestamps between the issue that we see and the user experiences. IE Blocking from the temp folder etc. Access protection statistics show the same number of blocked program activity as there are "Would be blocked"  I have been searching the forums, is there any scenario where a system could block an application from accessing the temp folder but log would only warn? Thanks for any support in advance. This has been going on for a month or so now.

        • 1. Re: Access protection logging
          ansarias

          If you have select report only not block than you will get alert like "would be block". If McAfee AP is blocking anything than it will be capture in logs with right AP detected rule.

          • 2. Re: Access protection logging
            wwarren

            More than likely, what you are seeing is an artifact of the application's behavior.

            i.e. That it is performing multiple operations, one of which is triggering the AP rule that's in warn mode - but we will allow it. This is not your smoking gun.

            "Warn mode" AP rules are benign (but a potential clue to the 3rd party app's behavior).

             

            We do have "silent" enforcement for a certain behavior that applications may exhibit; it was implemented to stop malware.

            It occurs when someone tries to "SetSecurity" on a protected file/folder. The attempt will be blocked but not logged.

            3rd party application who fail to handle being denied may fail altogether, it depends, but it's not our problem to solve - we can only advise a workaround (disable the feature, or find and disable the rules that are applicable).