McAfee-defined Access Protection rules Flashcards
Browsers launching files from the Downloaded Program Files folder
Prevents software from installing through the web browser
Benefits: Prevents adware and spyware from installing and running executables from the downloads folder
Risks: Might block installation of legitimate software
Changing any file extension registrations
Protects the registry keys under HKEY_CLASSES_ROOT where file extensions are registered.
Benefits: Prevents malware from changing the file extension registrations to allow malware to execute silently
Risks: Might block installation of legitimate software
Changing user rights policies
Protects registry values that contain windows security information.
Benefit: Prevents worms from changing accounts that have administrator rights
Creating new executable files in the Program Files folder
Benefit: Prevents adware and spyware from creating new .EXE and .DLL files and installing new executable files in the Program Files folder.
Risk: might block installation of legitimate software
Creating new executable files in the Windows folder
Prevents the creation of files from any process, not just from over the network
Benefits: Prevents the creation of .EXE and .DLL files in the Windows folder
Risks: Might block legitimate software from creating these files in the Windows folder
Disabling Registry Editor and Task Manager
Protects Windows registry entries, preventing disabling the registry editor and Task Manager
Doppelganging attacks on processes
Prevents “Process Doppelganging” attacks from changing processes
Benefits: Prevents malware from loading and executing arbitrary code in the context of legitimate or trusted processes
Executing Mimikatz malware
prevents executables named mimikatz from running, protecting against mimikatx malware by preventing it from executing
Executing Scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders
Prevents the Windows scripting host from running VBScript and JavaScript scripts in any folder with “temp” in the folder name
Benefit: Protects against many trojans and questionable web installation mechanisms used by adware and spyware applicaitons
Risks: Might block legitimate scripts and third-party applications from being installed or run
Executing Windows Subsystem for Linux
Prevents an administrator user from running the Windows Subsystem for Linux
Benefit: Prevents malware designed for Linux Systems from attacking Windows computers
Hijacking .EXE or other executable extensions
Protects .EXE, .BAT, and other executable registry keys under HKEY_CLASSES_ROOT
Benefit: Prevents malware from changing registry keys to run the virus when another executable runs
Installing Browser Helper Objects or Shell Extensions
Prevents Browser Helper Objects from installing on the host computer(doesn’t prevent installed Browser Helper Objects from working)
Benefits: Prevents adware, spyware, and trojans from installing on systems
Risks: Might block legitimate applications from installing Browser Helper Objects
Installing new CLSIDs, APPIDs, and TYPELIBs
Prevents the installation or registration of new COM servers.
Benefits: Protects against adware and spyware programs that install themselves as a COM add-on internet explorer or Microsoft Office applications
Risk: Might block installation of some common applications, like Adobe Flash
Modifying core Windows processes
Prevents files from being created or executed with most commonly spoofed names. (excludes authentic windows files)
Prevents viruses and Trojans from running with the name of a Windows process
Modifying Internet Explorer Settings
Block processes from changing settings in Internet Explorer
Prevents start-page trojans, adware, and spyware from changing browser settings, such as changing the start page or installing favorites
Modifying network settings
Prevent processes that aren’t listed in the exclusion list from changing a system’s network settings
Benefits: Protects against Layered Service Providers that transmit data, like your browsing behavior, by capturing network traffic and sending it to third-party sites
Risks: Might block legitimate process that need to change network settings
Registering of programs to autorun
Blocks adware, spyware, trojans, and viruses from trying to register themselves to load every time a system is restarted
Benefits: Prevents processes that aren’t on the excluded list from registering processes that execute each time a system restarts
Risks: Might block legitimate processes that need to register themselves to load at system startup
Remotely accessing local files or folders
Prevents read and write access from remote computers to the computer (typically suitable for workstations, but not servers)
Benefits: Prevents a share-hopping worm from spreading
Risks: Prevents updates or patches from being installed to systems managed by pushing files. (This rule doesn’t affect the management functions of McAfee ePO)
Remotely creating autorun files
Prevents other computers from making a connection and creating or changing autorun (autorun.inf) files. (Autorun files are used to automatically start program files, typically setup files from CDs)
Prevents spyware and adware distributed on CDs from being executed
Remotely creating or modifying files or folders
Blocks write access to all shares.
In a typical environment, this rule is suitable for workstations, but not servers, and is only useful when computers are actively under attack
Benefits: Limits the spread of infection during an outbreak by preventing write access. The rule blocks malware that would otherwise severely limit use of the computer or network
Risks: Prevents updates or patches from being installed to systems managed by pushing files. This rule doesn’t affect the management functions of McAgee ePO
Remotely creating or modifying Portable Executable, .INI, .PIF file types, and core system locations
Prevents other computers from making a connection and changing executables, such as files in the Windows folder. This rule affects only file types that viruses typically infect
Benefits: Protects against fast spreading worms or viruses, which traverse a network through open or administrative shares
Running files from common user folders
Blocks any executable from running or starting from any folder with “temp” in the folder name
Benefits: Protects against malware that is saved and run from the user or system temp folder. Such malware might include executable attachments in email and downloaded programs
Risks: Although this rule provides the most protection, it might block legitimate applications from being installed
Running files from common user folders by common programs
Blocks applications from installing software from the browser or from the email client
Benefits: Prevents email attachments and executables from running on webpages
Risks: Might block legitimate processes that use the temp folder during installation
