15
White Paper Access Protection in McAfee VirusScan Enterprise and
Host Intrusion Prevention
“Prevent programs registering as a service”
Intention: This rule protects the registry keys and directories that viruses, spyware, etc., can use to load
when a user logs on or when the computer restarts. It prevents the installation of any new service by
processes not listed in the exclusions list. This is common practice with applications such as keyloggers,
and Layered Service Providers like Adware-SAHAgent. This also provides some limited protection against
installation of new kernel mode rootkits.
Risks: Enabling this rule may also block legitimate installations from registering themselves as services.
It may also block installation of device drivers for new hardware. McAfee recommends that you either
install that application prior to setting this rule to block or list the installation process in the
exclusions list.
Included processes: All
Excluded processes: Installers, Windows update
ID and name in Host IPS:
3907, Access Protection—Prevent programs registering as a service.
“Prevent creation of new executable files in the Windows folder”
A common hiding tactic for adware, spyware, Trojans, and viruses, is to place their files in the Windows
directory. You should add processes that have a legitimate need to place files in the Windows directory
to the exclusions list. This rule will stop the addition of executable files to the Windows folder.
Intention: Viruses and Trojans often copy themselves to the Windows directory, hoping to hide among
the list of files there with odd names. These rules prevent files being created by any process, not just
from over the network. This rule prevents creation of .EXE and .DLL files in the Windows directory.
Risk: These rules will disable many software installers.
Included processes: all
Excluded processes: Installers, Windows update
ID and name in Host IPS:
3908, Access Protection—Prevent creation of new executable files in the Windows folder.
“Prevent creation of new executable files in the Program Files folder”
Intention: This rule prevents creation of .EXE and .DLL files from adware and spyware installing new
executable files in the Program Files directory. It can stop new software installations if not launched from
one of the excluded processes.
Risk: McAfee recommends that you either install applications prior to enabling this rule, or place the
blocked processes in the exclusion list.
ID and name in Host IPS:
3909, Access Protection—Prevent creation of new executable files in the Program Files folder.
(122 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales