Check out the following:
White Paper Page 5 (wp-understanding-ep-security-10-module.pdf)
In addition, AP now proactively excludes all McAfee/Intel Security-signed processes from being
subject to access controls. McAfee VirusScan Enterprise 8.8 does not support this capability.
I have several (4) ePO 5.3 Servers running for testing purposes. On only ONE of them I discovered the settings mentioned above. I first thought they came from a migrated VSE policy, but I can NOT re-produce the whole thing by migrating the policies again.
Even if I open up the "McAfee Default" or the "My Default" Policies, there is no exclusion visible, targeting the "McAfee signed processes". Neither of all 4 servers have it in their default policies.
So I'm wondering where did the "McAfee signed processes" exclusion come from, which I got in just one policy but not within the defaults? The White Paper tells me that's a feature, so I expect them within the defaults.
Additionally there are a lot of "rules" beginning with "IDS_AP_RULE". I don't know where they came from, too. Again, the default policies do not contain them.
Anyone knows the secret?