4 Replies Latest reply on Jul 26, 2016 5:06 PM by rmetzger

    Access Protection - Exclude folder / allow file in a specified folder

    root-ka

      Hi there,

       

      I'm blocking .bat and .js files in Excel and other Office programs via Access Protection user-defined rule.

       

      File or folder name to block : *.js (*.bat)

       

      Now I want to ALLOW Excel to run these files when they are in a specified folder for example "C:\test\test.bat"

       

      How can I exclude a LOCATION, not only a Process? Is it a special wildcard I have to use?

       

      Thank you!

        • 1. Re: Access Protection - Exclude folder / allow file in a specified folder
          taziegma

          Access Protection rules in VSE are based on the process name. There is not a wildcard that can be used. ENS 10, however, does have some new options when creating Access Protection rules that allow for some flexibility under the scenario you've presented.

          • 2. Re: Access Protection - Exclude folder / allow file in a specified folder
            rmetzger

            Hi Root-ka,

            root-ka wrote:

             

            I'm blocking .bat and .js files in Excel and other Office programs via Access Protection user-defined rule.

             

            File or folder name to block : *.js (*.bat)

             

            Now I want to ALLOW Excel to run these files when they are in a specified folder for example "C:\test\test.bat"

             

            How can I exclude a LOCATION, not only a Process? Is it a special wildcard I have to use?

            This article defines ways to allow Specific processes (in your case Excel.exe) to be excluded from from having files scanned, such as .bat or .js.

            McAfee KnowledgeBase - Understanding High-Risk, Low-Risk, and Default processes configuration and usage

             

            The low risk process policy allows you to place the executable on the list so it is NOT scanned in memory, by virtue of no scanning on read or write for the process. You can also declare supporting file path files as part of the do not scan.

             

            High/Low Risk Process Policies are a much better way to limit exclusions and security exposures, giving better performance to trusted processes and still maintain full security when other non-trusted processes (such as Explorer.exe) attempt access to that exclusion.

             

            This is a completely different approach to how you are doing this now, but might provide better options for keeping your systems secure while limiting the impact and exposure of Exclusions.

             

            Let us know if this helps.

             

            Ron Metzger

            • 3. Re: Access Protection - Exclude folder / allow file in a specified folder
              taziegma

              Ron,

               

              You're talking about a completely different feature of VSE. High/Low-risk process relates solely to the on-access scanner and does not apply to Access Protection. If I had to guess, I'd say that Root-ka is using Access Protection rules to mitigate against the threat of ransomware. Access Protection rules require the use of a process and can prevent against files/folders/ports/registry keys from being changed or modified. What Root-ka wants to do is allow Excel to run these blocked file types but only if the files originate from a certain spot. That functionality is not possible in VSE AP today. You can only include/exclude by process name. With ENS 10, you can build more complex Access Protection rules with subrules that would enable the behavior Root-ka is looking for.

              • 4. Re: Access Protection - Exclude folder / allow file in a specified folder
                rmetzger

                Hi taziegma,

                taziegma wrote:

                 

                You're talking about a completely different feature of VSE. High/Low-risk process relates solely to the on-access scanner and does not apply to Access Protection.

                Yes, Exactly! I am suggesting a completely different security model.

                taziegma wrote:

                 

                If I had to guess, I'd say that Root-ka is using Access Protection rules to mitigate against the threat of ransomware.

                Great. I prefer not to guess.

                wrote:

                 

                Now I want to ALLOW Excel to run these files when they are in a specified folder for example "C:\test\test.bat"

                 

                How can I exclude a LOCATION, not only a Process? Is it a special wildcard I have to use?

                Suggests another approach may be desired than just User defined Access Protection rules.

                 

                If blocking Ransomware is the goal, OAS is a tool that can also mitigate the threat (though not as rigorously), while still allowing certain 'white listed' processes to continue without the limitations otherwise imposed. Access Protection rules are a bit restrictive, as you stated. Thus a different security model may be needed.

                taziegma wrote:

                 

                Access Protection rules require the use of a process and can prevent against files/folders/ports/registry keys from being changed or modified. What Root-ka wants to do is allow Excel to run these blocked file types but only if the files originate from a certain spot. That functionality is not possible in VSE AP today. You can only include/exclude by process name. With ENS 10, you can build more complex Access Protection rules with sub- rules that would enable the behavior Root-ka is looking for.

                So, two options exist:

                1.) Learn VSE High/Low Risk Process Policies

                     a.) Convert Default Process Policies to High/Low Risk model

                     b) Test New OAS rules

                     c) Deploy new OAS rules.

                2.) Upgrade to ENS 10 and Learn ENS Access Protection rules.

                     a.) Test ENS in the environment

                     b.) Test ENS Access Protection rules

                     c.) Test Deployment (Removing VSE and other legacy products, which are replaced by ENS)

                     d.) Train Help Desk with the deployment and support of ENS

                     e.) Deploy

                 

                While staying with VSE may be easier, VSE has a defined End-of-Life date and will no longer be supported long term.

                ENS is a newer product replacing VSE (and other legacy products) and should be the long term solution.

                Some might say that ENS is still having growing pains.

                 

                It is root-ka's decision which learning curve to apply.

                 

                Ron Metzger