McAfee-defined Access Protection rules

Question 1

Browsers launching files from the Downloaded Program Files folder

Answer 1

Prevents software from installing through the web browser

Benefits: Prevents adware and spyware from installing and running executables from the downloads folder

Risks: Might block installation of legitimate software

Question 2

Changing any file extension registrations

Answer 2

Protects the registry keys under HKEY_CLASSES_ROOT where file extensions are registered.

Benefits: Prevents malware from changing the file extension registrations to allow malware to execute silently

Risks: Might block installation of legitimate software

Question 3

Changing user rights policies

Answer 3

Protects registry values that contain windows security information.

Benefit: Prevents worms from changing accounts that have administrator rights

Question 4

Creating new executable files in the Program Files folder

Answer 4

Benefit: Prevents adware and spyware from creating new .EXE and .DLL files and installing new executable files in the Program Files folder.

Risk: might block installation of legitimate software

Question 5

Creating new executable files in the Windows folder

Answer 5

Prevents the creation of files from any process, not just from over the network

Benefits: Prevents the creation of .EXE and .DLL files in the Windows folder

Risks: Might block legitimate software from creating these files in the Windows folder

Question 6

Disabling Registry Editor and Task Manager

Answer 6

Protects Windows registry entries, preventing disabling the registry editor and Task Manager

Question 7

Doppelganging attacks on processes

Answer 7

Prevents “Process Doppelganging” attacks from changing processes

Benefits: Prevents malware from loading and executing arbitrary code in the context of legitimate or trusted processes

Question 8

Executing Mimikatz malware

Answer 8

prevents executables named mimikatz from running, protecting against mimikatx malware by preventing it from executing

Question 9

Executing Scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders

Answer 9

Prevents the Windows scripting host from running VBScript and JavaScript scripts in any folder with “temp” in the folder name

Benefit: Protects against many trojans and questionable web installation mechanisms used by adware and spyware applicaitons

Risks: Might block legitimate scripts and third-party applications from being installed or run

Question 10

Executing Windows Subsystem for Linux

Answer 10

Prevents an administrator user from running the Windows Subsystem for Linux

Benefit: Prevents malware designed for Linux Systems from attacking Windows computers

Question 11

Hijacking .EXE or other executable extensions

Answer 11

Protects .EXE, .BAT, and other executable registry keys under HKEY_CLASSES_ROOT

Benefit: Prevents malware from changing registry keys to run the virus when another executable runs

Question 12

Installing Browser Helper Objects or Shell Extensions

Answer 12

Prevents Browser Helper Objects from installing on the host computer(doesn’t prevent installed Browser Helper Objects from working)

Benefits: Prevents adware, spyware, and trojans from installing on systems

Risks: Might block legitimate applications from installing Browser Helper Objects

Question 13

Installing new CLSIDs, APPIDs, and TYPELIBs

Answer 13

Prevents the installation or registration of new COM servers.

Benefits: Protects against adware and spyware programs that install themselves as a COM add-on internet explorer or Microsoft Office applications

Risk: Might block installation of some common applications, like Adobe Flash

Question 14

Modifying core Windows processes

Answer 14

Prevents files from being created or executed with most commonly spoofed names. (excludes authentic windows files)

Prevents viruses and Trojans from running with the name of a Windows process

Question 15

Modifying Internet Explorer Settings

Answer 15

Block processes from changing settings in Internet Explorer

Prevents start-page trojans, adware, and spyware from changing browser settings, such as changing the start page or installing favorites

Question 16

Modifying network settings

Answer 16

Prevent processes that aren’t listed in the exclusion list from changing a system’s network settings

Benefits: Protects against Layered Service Providers that transmit data, like your browsing behavior, by capturing network traffic and sending it to third-party sites

Risks: Might block legitimate process that need to change network settings

Question 17

Registering of programs to autorun

Answer 17

Blocks adware, spyware, trojans, and viruses from trying to register themselves to load every time a system is restarted

Benefits: Prevents processes that aren’t on the excluded list from registering processes that execute each time a system restarts

Risks: Might block legitimate processes that need to register themselves to load at system startup

Question 18

Remotely accessing local files or folders

Answer 18

Prevents read and write access from remote computers to the computer (typically suitable for workstations, but not servers)

Benefits: Prevents a share-hopping worm from spreading

Risks: Prevents updates or patches from being installed to systems managed by pushing files. (This rule doesn’t affect the management functions of McAfee ePO)

Question 19

Remotely creating autorun files

Answer 19

Prevents other computers from making a connection and creating or changing autorun (autorun.inf) files. (Autorun files are used to automatically start program files, typically setup files from CDs)

Prevents spyware and adware distributed on CDs from being executed

Question 20

Remotely creating or modifying files or folders

Answer 20

Blocks write access to all shares.

In a typical environment, this rule is suitable for workstations, but not servers, and is only useful when computers are actively under attack

Benefits: Limits the spread of infection during an outbreak by preventing write access. The rule blocks malware that would otherwise severely limit use of the computer or network

Risks: Prevents updates or patches from being installed to systems managed by pushing files. This rule doesn’t affect the management functions of McAgee ePO

Question 21

Remotely creating or modifying Portable Executable, .INI, .PIF file types, and core system locations

Answer 21

Prevents other computers from making a connection and changing executables, such as files in the Windows folder. This rule affects only file types that viruses typically infect

Benefits: Protects against fast spreading worms or viruses, which traverse a network through open or administrative shares

Question 22

Running files from common user folders

Answer 22

Blocks any executable from running or starting from any folder with “temp” in the folder name

Benefits: Protects against malware that is saved and run from the user or system temp folder. Such malware might include executable attachments in email and downloaded programs

Risks: Although this rule provides the most protection, it might block legitimate applications from being installed

Question 23

Running files from common user folders by common programs

Answer 23

Blocks applications from installing software from the browser or from the email client

Benefits: Prevents email attachments and executables from running on webpages

Risks: Might block legitimate processes that use the temp folder during installation