1 2 Previous Next 11 Replies Latest reply on Aug 20, 2015 12:05 PM by wwarren

    Whitelisting Applications

    bbcomops

      Hi guys!

       

      I'm having an issue right now trying to allow the McAfee VirusScan Enterprise to ignore the installations/updates for certain applications. Currently the ePO is enforced in a way to prevent anything from running from the Temp folder. I've added multiple exclusions (in this case, I'm installing Java) but I'm hung up at just a few things. I'll attach a log file, but is there a more definitive way to allow some of these minor, common application (Chrome, Reader, Java, Windows Updates) updates to go through while still preventing other programs from installing, but without disabling Active Protection?

       

      Thanks for anyone's help!

        • 1. Re: Whitelisting Applications
          exbrit

          Moved to VSE for faster support

          ---

          Peter

          Moderator

          • 2. Re: Whitelisting Applications
            Troja

            Hi,

            if blocking file generation with Access Protection you have to exclude any process.From my experience strong Access Protection Rules are generating much Events but really more security regarding advanced malware.

            1) How about HIPS? Access Protection Rules are available as HIPS Signatures. HIPS allows much more granular and easier exclusions.

            2) You can also take a look at Application Control. There you have some more options to define how a system is allowed to be changed.

             

            Cheers

            • 3. Re: Whitelisting Applications
              bbcomops

              Thanks for the reply Troja,

               

              Unfortunately I can't change our corporate anti-virus out, so I'm stuck trying to make these changes manually. Right now we're enforcing policies that prevent users from being able to install (basically) any program on their computer. The ePO manager has areas to make configuration changes, but specifically for this issue that I'm having with Java, I can't seem to get McAfee from ignoring the process.

              • 4. Re: Whitelisting Applications
                Troja

                Hm,

                can you tell me why this rules are activated?

                - Does anyone checks the events and rates them?

                 

                This is the probem with Access Protection. If you block the execution from the Temp you will have false/positives and you have to check any event if it generated by malware or by a trusted installer :-(

                Cheers

                • 5. Re: Whitelisting Applications
                  bbcomops

                  It's just what my company specifically wants, unfortunately. If you look at the text-file I attached to my original post, you'll see the problem I'm having right now. I believe those two blocked parts of the installation are preventing me from successfully installing Java, but I can't get the ePO to accept that change at all.

                  • 6. Re: Whitelisting Applications
                    Troja

                    Hmmm,

                    the exclusion should not be a problem. You can see the process name and the blocking rule in the Log. Just add the according process name to the excluded process names in the access protection rule.

                    Don´t forget to check if there is the policy inheritance broken in the System Tree

                    Cheers

                    • 7. Re: Whitelisting Applications
                      bbcomops

                      That's what I said too, but even after adding them to the exclusion list, it won't install. The policy inheritance is broken, but that's because I was having problems pushing to the computers in my test-group, so I just broke the policy for one computer specifically.

                      • 8. Re: Whitelisting Applications
                        bbcomops

                        Bumping this since I need more assistance.

                        • 9. Re: Whitelisting Applications
                          tomz2

                          Hi bbcomops,


                          As others have mentioned, Access Protection is not really intended for what you are trying to do. HIPS can do more of this with custom signatures, but even that can become complicated over time.


                          If you need to prevent updates to applications, then I'd suggest reviewing user permissions to determine why they have that ability in the first place.


                          I'd also strongly suggest looking at McAfee Application Control. It is not a VSE replacement, so you don't have to worry about changing your corporate AntiVirus standard, but you would be able to "solidify" systems and prevent not just certain updates, but any and all unwanted programs. You may want to talk to your Intel Security sales rep, as it is possible you may already own licenses depending on the suite you purchased.

                          1 2 Previous Next