Professional Documents
Culture Documents
0 -
Threat Prevention Module Product
Guide (McAfee ePolicy Orchestrator)
- Windows
Introduction
Once installed, Threat Prevention immediately begins protecting your system from threats.
This software offers easy to use, scalable protection, and fast performance to protect your environment from the following:
• Viruses, worms, and trojan horses
• Access point violations
• Buffer overflow exploits
• Potentially unwanted code and programs
Security content updates are delivered automatically to target specific vulnerabilities and block emerging threats from executing.
Threat Prevention detects threats based on security content files, then acts, based on settings that you configured.
You can configure the software as a standalone product on the client system. Or, you can use McAfee ePO software to manage
and enforce policies, then use queries and dashboards to track activity and detections.
Note: For information about McAfee ePO software, see the product documentation.
2 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Component interaction
As an administrator and user, you must be familiar with the components and how they interact. The following figure shows these
components for a basic environment.
Client system
Threat Prevention, the Endpoint Security Client, and McAfee Agent are installed on the client system.
• Content files (including AMCore content, also called malware signatures, and Exploit Prevention content) — Works with the
scanning engine to identify and handle threats.
• Scan engine — Scans the files, folders, and disks on the client computer and compares the results to the known virus
information in the content files.
Note: Content files and the engine are updated as needed by downloading from McAfee or from a designated server on your
enterprise intranet.
• McAfee® Global Threat Intelligence™ (McAfee GTI) (heuristic network check for suspicious files) — Looks for suspicious
programs and DLLs running on client systems that Threat Prevention protects. When a detection occurs, the software sends a
request containing a fingerprint of the suspicious file to a central database server hosted by McAfee Labs.
• McAfee Agent — Provides secure communication between managed products and the McAfee ePO server. The agent also
provides local services such as updating, logging, reporting events and properties, task scheduling, communication, and policy
storage.
McAfee
McAfee, home to McAfee Labs and McAfee support, provides the following services:
• Content updates — Copied from a McAfee central database server (using the Product Update client task) to the Threat Prevention
clients or optional content repositories. Content update files provide protection against specific vulnerabilities and block
emerging threats (including buffer-overflow attacks) from executing.
• Engine updates — Stored on a central database server, Threat Prevention downloads engine updates as needed, keeping the
engine up to date.
• McAfee Labs (threat library) — Stores detailed information on malware and potentially unwanted programs, including how to
handle them. The McAfee GTI feature sends the fingerprint of each suspicious file to McAfee Labs for analysis and response.
Server
The optional server uses the following components to manage and update many client systems remotely:
• McAfee ePO — Manages and enforces Threat Prevention policies from a central location and provides queries and dashboards
to track activity and detections.
• Content repository — Retrieves the content updates from the McAfee download site. From the repository, content files can be
copied automatically to all other computers in your organization. Using a content repository minimizes bandwidth.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 3
Using Threat Prevention features to protect your system
Protecting your client systems from viruses, worms, and trojans requires defining threat prevention and detection policies,
responding to threats, and ongoing analyzing and tuning.
4 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
McAfee ePO features leveraged by Threat Prevention
Threat Prevention leverages these features in the McAfee ePO environment.
Automatic Responses Adds Threat Prevention events for which you can configure automatic responses.
Client tasks Adds predefined client tasks to the Client Task Catalog that you can use to automate management
and maintenance on client systems.
Dashboards and Adds predefined dashboards and monitors that you can use to track activity in your environment.
monitors
Permission sets Adds the Threat Prevention permission group to each permission set.
Server tasks Leverages McAfee ePO server tasks in the Server Tasks list in Automation.
Threat Event Log Adds Threat Prevention events that you can filter and view.
Automatic Responses Automatic Responses, Event Notifications, plus any feature-specific permissions depending on the
feature used (such as System Tree or queries).
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 5
Feature Required permissions
Threat Event Log Systems, System Tree access, Threat Event Log
For information about managing permission sets, see the McAfee ePO Help.
Custom On-Demand Scan Examines all parts of the managed computer for potential threats, at times that don't
interfere with your work.
Policy-Based On-Demand Scan Runs the preconfigured Quick Scan and Full Scan on-demand scans from McAfee ePO.
Configure the behavior of these scans in the policy settings for On-Demand Scan.
Roll Back AMCore Content Removes specified version numbers of the AMCore content files from client systems.
Threat Prevention leverages the following predefined McAfee Agent client tasks.
Product Update Updates content files, engines, and all McAfee products automatically.
Mirror Repositories Replicates the updated content and engine files from the first accessible repository to a
mirror site on your network.
For information about using distributed repositories to keep your security software up
to date, see the McAfee ePO Best Practices Guide.
Depending on your permissions, you can use predefined client tasks as is, edit them, or create new client tasks using McAfee
ePO.
For information about client tasks and the Client Task Catalog, see the McAfee ePO Help.
What to do first
Once installed, Threat Prevention uses the content files packaged with the product to provide general security for your
environment. McAfee recommends that you download the latest content files and customize the configuration to meet your
requirements before deploying to client systems.
Take these actions immediately after installation:
Task
1. Set user interface security — Configure the access options and password to prevent users from accessing specific
components or the whole Endpoint Security Client interface.
6 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Configure Endpoint Security Client interface security settings in the Common module Options policy.
2. Configure logging on the client — Specify the location of log files for Endpoint Security features. Select which client events to
forward to McAfee Agent and whether to log events to the Windows Application log.
Tip: Best practice: Enable debug logging for at least the first 24 hours during testing and pilot phases. If no issues occur
during this time, disable debug logging to avoid performance impact on client systems.
Configure Endpoint Security logging in the Common module Options policy.
3. Confirm engine and content files — Verify that client systems have the latest engine and content files installed using
Endpoint Security Client or McAfee ePO.
See the help for the Endpoint Security Common module.
4. Prevent intrusions — Configure these features to prevent potential threats from accessing your systems:
a. Protect system access points — Configure Access Protection rules to prevent unwanted changes to commonly used files
and settings.
b. Configure protection against buffer overflow exploits — Make sure that Exploit Prevention is enabled and specify
reactions to signatures and exclusions.
5. Configure common scan options — Specify options that apply to both on-access and on-demand scanners, including:
◦ Quarantine location and the number of days to keep quarantined items before automatically deleting them
◦ Detection names to exclude from scans
◦ Potentially unwanted programs, such as spyware and adware, to detect
6. Configure on-access scan settings — Configure the scanner to detect and act on potential threats as files are accessed in
your environment. Enable detection of potentially unwanted programs.
7. Configure regular on-demand scans — Configure Custom On-Demand Scan client tasks to perform regular on-demand scans,
including:
◦ Daily memory scans
◦ Weekly or daily scans of active user locations, such as user profile folder, Temp folder, registry entries, registered files, and
Windows folder
8. Configure engine and content file updates — Configure a McAfee Agent Product Update client task to make sure that you have
the most current content files, engine, and product upgrades.
See the help for the Endpoint Security Common module.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 7
Configuring Threat Prevention
Configure Threat Prevention settings to prevent threat access, keep your protection up to date, and scan for threats on client
systems.
Category Description
Access Protection Prevents unwanted changes to the managed computer by restricting access to specified
files, shares, registry keys, registry values, processes, and services.
Exploit Prevention Prevents applications from executing arbitrary code on the managed computer.
On-Access Scan Specifies settings that apply to scheduled scanning of all processes, including maximum
scan time and threat-detection message configuration.
On-Demand Scan Configures the on-demand scan settings for the preconfigured scans that run on the
client system, including:
• Full Scan and Quick Scan from the Endpoint Security Client
• Right-Click Scan on the client system
• Custom On-Demand Scan client tasks, scheduled from McAfee ePO
Options Configures the settings that apply to both the on-access scanner and on-demand
scanner.
Policy Description
McAfee Default Defines the default policy that takes effect if no other policy is applied. You can
duplicate, but not delete or change, this policy.
On-Access Scan for Exchange Defines an on-access scan policy with exclusions for Microsoft Exchange Server. This
policy isn't applied until you assigned it to systems. For information, see KnowledgeBase
article KB51471.
You can use predefined policies as is, edit the My Default predefined policies, or create new policies.
For information about policies and the Policy Catalog, see the McAfee ePO Help.
8 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
User-based policies (Windows only)
User-based polices (UBP) enable policies to be defined and enforced using McAfee ePO policy assignment rules with an LDAP
server. These assignment rules are enforced on the client system for the user at log-on, regardless of the McAfee ePO group.
User-based polices are enforced when a user with a matching assignment rule logs on to the client system on the console.
System-based polices (SBP) are enforced when two or more users are logged on to a system. Policy assignment rules take
precedence over polices defined in the System Tree.
The user policy supersedes the system policy. All system policies apply and any user-based policy overrides the system policy.
Policy assignment rules are enforced only if the user logs on as the interactive user. The system policy, rather than the user policy,
is enforced if the user logs on:
• With a runas command
• To a remote desktop or terminal service where the user's logon is not set to interactive
For more information about user-based policies and policy assignment rules, see the McAfee ePO Help.
Comparing policies
You can compare all policy settings for the module using the Policy Comparison feature in McAfee ePO. For information, see the
McAfee ePO Help.
Configuring exclusions
Threat Prevention enables you to fine-tune your protection by specifying items to exclude.
For example, you might need to exclude some file types to prevent a scanner from locking a file used by a database or server. A
locked file can cause the database or server to fail or generate errors.
Tip: Best practice: To improve performance of on-access and on-demand scans, use scan avoidance techniques rather than
adding file and folder exclusions.
Exclusions in exclusion lists are mutually exclusive. Each exclusion is evaluated separately from the others in the list.
Note: To exclude a folder on Windows systems, append a backslash (\) character to the path.To exclude a folder on Mac or Linux
systems, append a slash (/) character to the path.
Access Processes (for all rules or Access Protection Process file name or path, All except
Protection a specified rule) MD5 hash, or signer MD5
hash
Exploit Processes Exploit Prevention Process file name or path, All except
Prevention MD5 hash, or signer MD5
hash
Caller modules Caller module file name or
path, MD5 hash, or signer
Signatures Signature ID No
All scans Detection names Threat Prevention Options Detection name (case- Yes
sensitive)
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 9
For this Use
feature... Specify items to exclude Where to configure Exclude items by wildcards?
On-access scan Files, file types, and On-Access Scan File name or folder, file type, Yes
• Default folders or file age
• High Risk
ScriptScan URLs URL name No
• Low Risk
On-demand Files, folders, and drives On-Demand Scan File name or folder, file type, Yes
scan or file age
• Quick Scan
• Full Scan
• Right-Click Scan
Custom on- Files, folders, and drives Custom On-Demand Scan client task File name or folder, file type, Yes
demand scan or file age
Wildcards in exclusions
You can use wildcards to represent characters in exclusions for files, folders, detection names, and potentially unwanted
programs.
Wildcard
characterName Represents
Note: Wildcards can appear in front of a backslash (\) in a path. For example, C:\ABC\*\XYZ matches C:\ABC\DEF\XYZ.
Root-level exclusions
Threat Prevention requires an absolute path for root-level exclusions. This means that you can't use leading \ or ?:\ wildcard
characters to match drive names at the root level.
Important: This behavior differs from VirusScan Enterprise. See the McAfee Endpoint Security Migration Guide.
With Threat Prevention, you can use leading **\ wildcard characters in root-level exclusions to match drives and subfolders. For
example, **\test matches the following:
C:\test
D:\test
C:\temp\test
10 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
D:\foo\test
Executable files Seemingly benign programs can include viruses with the expected program. Some common
file extensions are .EXE, .COM, .VBS, .BAT, .HLP and .DLL.
Scripts Associated with webpages and email, scripts such as ActiveX and JavaScript, if allowed to
run, can include viruses.
Internet Relay Chat (IRC) Files sent with these messages can easily contain malware as part of the message. For
messages example, automatic startup processes can contain worms and trojan threats.
Browser and application Help Downloading these Help files exposes the system to embedded viruses and executables.
files
Email Jokes, games, and images as part of email messages with attachments.
Combinations of all these Sophisticated malware creators combine all these delivery methods and even embed one
access points piece of malware within another to try to access the managed computer.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 11
Example of an access threat
1. A user downloads a legitimate program (not malware), MyProgram.exe, from the Internet.
2. The user launches MyProgram.exe and the program seems to launch as expected.
3. MyProgram.exe launches a child process called AnnoyMe.exe.
4. AnnoyMe.exe attempts to modify the operating system to make sure that AnnoyMe.exe always loads on startup.
5. Access Protection processes the request and matches the action against an existing block and report rule.
6. Access Protection prevents AnnoyMe.exe from modifying the operating system and logs the details of the attempt. Access
Protection also generates and sends an alert to the management server.
McAfee-defined rules • These rules prevent modification of commonly used files and settings.
• You can enable, disable, and change the configuration of McAfee-defined rules, but you
can't delete these rules.
User-defined rules • These rules supplement the protection provided by McAfee-defined rules.
• An empty Executables table indicates that the rule applies to all executables.
• An empty User Names table indicates that the rule applies to all users.
• You can add and delete, as well as enable, disable, and change the configuration of
these rules.
Exclusions
At the rule level, exclusions and inclusions apply to the specified rule. At the policy level, exclusions apply to all rules. Exclusions
are optional.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select Access Protection.
3. Click the name of an editable policy.
4. Click Show Advanced.
12 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
5. Modify the rule:
a. In the Rules section, select Block, Report, or both for the rule.
◦ To select or deselect all rules under Block or Report, click Block All or Report All.
◦ To disable the rule, deselect both Block and Report.
b. In the Rules section, select the rule, then click Edit.
c. On the Rule page, configure rule options.
d. In the Executables section, click Add, configure executable properties, then click Save twice to save the rule.
6. Click Save.
Browsers launching files from the Downloaded Program Files Prevents software from installing through the web browser.
folder Because this rule might also block the installation of legitimate
software, install the application before enabling this rule or add the
installation process as an exclusion.
This rule is set to Report by default.
This rule prevents adware and spyware from installing and running
executables from this folder.
Changing any file extension registrations Protects the registry keys under HKEY_CLASSES_ROOT where file
extensions are registered.
This rule prevents malware from changing the file extension
registrations to allow malware to execute silently.
Tip: Best practice: Disable this rule when installing valid applications
that change file extension registrations in the registry.
This rule is a more restrictive alternative to Hijacking .EXE and other
executable extensions.
Changing user rights policies Protects registry values that contain Windows security information.
This rule prevents worms from changing accounts that have
administrator rights.
Creating new executable files in the Program Files folder Prevents the creation new executable files in the Program Files folder.
This rule prevents adware and spyware from creating new .EXE
and .DLL files and installing new executable files in the Program Files
folder.
Tip: Best practice: Install applications before enabling this rule, or
place the blocked processes in the exclusion list.
Creating new executable files in the Windows folder Prevents the creation of files from any process, not just from over the
network.
This rule prevents the creation of .EXE and .DLL files in the Windows
folder.
Tip: Best practice: Add processes that must place files in the Windows
folder to the exclusion list.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 13
McAfee-defined rule Description
Disabling Registry Editor and Task Manager Protects Windows registry entries, preventing disabling the registry
editor and Task Manager.
Note: In an outbreak, disable this rule to be able to change the registry,
or open Task Manager to stop active processes.
Executing scripts by Windows script host (CScript.exe or Prevents the Windows scripting host from running VBScript and
Wscript.exe) from common user folders JavaScript scripts in any folder with "temp" in the folder name.
This rule protects against many trojans and questionable web
installation mechanisms used by adware and spyware applications.
This rule might block legitimate scripts and third-party applications
from being installed or run.
Hijacking .EXE or other executable extensions Protects .EXE, .BAT, and other executable registry keys under
HKEY_CLASSES_ROOT.
This rule prevents malware from changing registry keys to run the virus
when another executable runs.
This rule is a less restrictive alternative to Changing any file extension
registrations.
Installing Browser Helper Objects or Shell Extensions Prevents adware, spyware, and trojans that install as Browser Helper
Objects from installing on to the host computer.
This rule prevents adware and spyware from installing on systems.
Tip: Best practice: Allow legitimate custom or third-party applications
to install these objects by adding them to the exclusion list. After
installation, you can re-enable the rule because it doesn't prevent
installed Browser Helper Objects from working.
Installing new CLSIDs, APPIDs, and TYPELIBs Prevents the installation or registration of new COM servers.
This rule protects against adware and spyware programs that install
themselves as a COM add-on Internet Explorer or Microsoft Office
applications.
Tip: Best practice: Allow legitimate applications that register COM add-
ons, including some common applications like Adobe Flash by adding
them to the exclusion list.
Modifying core Windows processes Prevents files from being created or executed with the most commonly
spoofed names.
This rule prevents viruses and trojans from running with the name of a
Windows process. This rule excludes authentic Windows files.
Modifying Internet Explorer settings Blocks processes from changing settings in Internet Explorer.
This rule prevents start-page trojans, adware, and spyware from
changing browser settings, such as changing the start page or installing
favorites.
Modifying network settings Prevents processes that aren't listed in the exclusion list from changing
a system's network settings.
This rule protects against Layered Service Providers that transmit data,
like your browsing behavior, by capturing network traffic and sending it
to third-party sites.
Tip: Best practice: Add processes that must change network settings
to the exclusion list or disable the rule while changes are made.
14 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
McAfee-defined rule Description
Registering of programs to autorun Blocks adware, spyware, trojans, and viruses from trying to register
themselves to load every time a system is restarted.
This rule prevents processes that aren't on the excluded list from
registering processes that execute each time a system restarts.
Tip: Best practice: Add legitimate applications to the exclusion list, or
install them before this rule is enabled.
Remotely accessing local files or folders Prevents read and write access from remote computers to the
computer.
This rule prevents a share-hopping worm from spreading.
In a typical environment, this rule is suitable for workstations, but not
servers, and is only useful when computers are actively under attack.
If a computer is managed by pushing files to it, this rule prevents
updates or patches from being installed. This rule doesn't affect the
management functions of McAfee ePO.
Remotely creating autorun files Prevents other computers from making a connection and creating or
changing autorun (autorun.inf) files.
Autorun files are used to automatically start program files, typically
setup files from CDs.
This rule prevents spyware and adware distributed on CDs from being
executed.
This rule is selected to Block and Report by default.
Remotely creating or modifying files or folders Blocks write access to all shares.
This rule is useful in an outbreak by preventing write access to limit the
spread of infection. The rule blocks malware that would otherwise
severely limit use of the computer or network.
In a typical environment, this rule is suitable for workstations, but not
servers, and is only useful when computers are actively under attack.
If a computer is managed by pushing files to it, this rule prevents
updates or patches from being installed. This rule doesn't affect the
management functions of McAfee ePO.
Remotely creating or modifying Portable Executable, .INI, .PIF file Prevents other computers from making a connection and changing
types, and core system locations executables, such as files in the Windows folder. This rule affects only
file types that viruses typically infect.
This rule protects against fast spreading worms or viruses, which
traverse a network through open or administrative shares.
Running files from common user folders Blocks any executable from running or starting from any folder with
"temp" in the folder name.
This rule protects against malware that is saved and run from the user
or system temp folder. Such malware might include executable
attachments in email and downloaded programs.
Although this rule provides the most protection, it might block
legitimate applications from being installed.
Running files from common user folders by common programs Blocks applications from installing software from the browser or from
the email client.
This rule prevents email attachments and executables from running on
webpages.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 15
McAfee-defined rule Description
Tip: Best practice: To install an application that uses the Temp folder,
add the process to the exclusion list.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select Access Protection.
3. Click the name of an editable policy.
4. Click Show Advanced.
5. Create the rule: In the Rules section, click Add.
On the Rule page, configure rule options.
a. In the Executables section, click Add, configure executable properties, then click Save.
An empty Executables table indicates that the rule applies to all executables.
b. In the User Names section, click Add, configure user name properties, then click Save.
An empty User Names table indicates that the rule applies to all users.
c. In the Subrules section, click Add, then configure subrule properties.
Tip: Best practice: To avoid impacting performance, don't select the Read operation.
In the Targets section, click Add, configure target information, then click Save three times.
6. In the Rules section, select Block, Report, or both for the rule.
◦ To select or deselect all rules under Block or Report, click Block All or Report All.
◦ To disable the rule, deselect both Block and Report.
7. Click Save.
16 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
When evaluating a system event against a subrule, the subrule evaluates to true if:
• At least one Include evaluates to true.
and
• All Excludes evaluate to false.
Exclude takes precedence over Include. Here are examples:
• If a single subrule both includes and excludes a file C:\marketing\jjohns, the subrule does not trigger for that file.
• If a subrule includes all files but excludes the file C:\marketing\jjohns, the subrule triggers if the file is not C:\marketing\jjohns.
• If a subrule includes file C:\marketing\* but excludes C:\marketing\jjohns, the subrule triggers for C:\marketing\anyone, but
doesn't trigger for C:\marketing\jjohns.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select Access Protection.
3. Click the name of an editable policy.
4. Click Show Advanced.
5. Verify that Access Protection is enabled.
6. Perform one of the following:
To... Do this...
Exclude 1. In the Exclusions section, click Add to add processes to exclude from all rules.
processes from 2. On the Exclusion page, configure the executable properties.
all rules. 3. Click Save twice to save the policy settings.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 17
Blocking buffer overflow exploits
Exploit Prevention stops exploited buffer overflows from executing arbitrary code. This feature monitors user-mode API calls and
recognizes when they are called as a result of a buffer overflow.
When a detection occurs, information is recorded in the activity log, displayed on the client system, and sent to the management
server, if configured.
Threat Prevention uses the Exploit Prevention content file to protect applications such as Microsoft Internet Explorer, Microsoft
Outlook, Outlook Express, Microsoft Word, and MSN Messenger.
Note: Host Intrusion Prevention 8.0 can be installed on the same system as Endpoint Security version 10.5. If McAfee Host IPS is
enabled, Exploit Prevention is disabled even if enabled in the policy settings.
18 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Signatures protect specific applications, which are defined in the Application Protection Rules list. When an attack is detected, Exploit
Prevention can stop the behavior initiated by the attack.
When the Exploit Prevention content file is updated, the list of signatures is updated if needed.
You can change the action settings of these signatures, but you can't add, delete, or otherwise change these signatures. To
protect specific files, shares, registry keys, registry values, processes, and services, create custom Access Protection rules.
Actions
An action is what the Exploit Prevention does when a signature is triggered.
• Block — Prevents the operation.
• Report — Allows the operation and reports the event.
If neither are selected, the signature is disabled — Exploit Prevention allows the operation and doesn't report the event.
The Exploit Prevention content file automatically sets the action for signatures depending on severity level. You can change the
action for a specific signature in the Signatures section of the Exploit Prevention settings. Any changes you make to the signature
actions persist through content updates.
Behavioral rules
Behavioral rules block zero-day attacks and enforce proper operating system and application behavior. Heuristic behavioral rules
define a profile of legitimate activity. Activity not matching these rules is considered suspicious and triggers a response. For
example, a behavioral rule might state that only a web server process can access HTML files. If any other process tries to access
HTML files, Exploit Prevention takes the specified action. This type of protection, called application shielding and enveloping,
prevents applications and their data from being compromised and prevents applications from being used to attack other
applications.
Behavioral rules also block buffer overflow exploits, preventing code execution that results from a buffer overflow attack, one of
the most common methods of attack.
Severity levels
Each signature has a default severity level, which describes the potential danger of an attack.
• High — Signatures that protect against clearly identifiable security threats or malicious actions. Most of these signatures are
specific to well-identified exploits and are mostly non-behavioral in nature.
Caution: To prevent exposing systems to exploit attacks, set signatures with a severity of High to Block on every host.
• Medium — Signatures that are behavioral in nature and prevent applications from operating outside of their environment
(relevant for clients protecting web servers and Microsoft SQL Server 2000).
Tip: Best practice: On critical servers, set signatures with a severity of Medium to Block after fine-tuning.
• Low — Signatures that are behavioral in nature and shield applications. Shielding means locking down application and system
resources so that they can't be changed.
Setting signatures with a severity of Low to Block increases the security of the system, but requires additional tuning.
• Informational — Indicates a change to the system configuration that might create a benign security risk or an attempt to access
sensitive system information. Events at this level occur during normal system activity and generally aren't evidence of an attack.
• Disabled — Lists signatures that are disabled in the Exploit Prevention content file.
Note: You can't enable signatures with a severity of Disabled.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 19
To keep protection current, updates to Exploit Prevention content replace the McAfee-defined application protection rules in the
Exploit Prevention settings with the latest application protection rules.
You can enable, disable, delete, and change the inclusion status of McAfee-defined application protection rules. In addition, you
can create and duplicate your own application protection rules. Any changes you make to these rules persist through content
updates.
If the list includes conflicting application protection rules, rules with the Inclusion Status of Exclude take precedence over Include.
Note: Endpoint Security Client displays the complete list of protected applications, not just the applications currently running on
the client system. This behavior is different from McAfee Host IPS.
For managed systems, application protection rules created in the Endpoint Security Client are not sent to McAfee ePO and might
be overwritten when the administrator deploys an updated policy.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select Exploit Prevention.
3. Click the name of an editable policy.
4. Click Show Advanced.
5. Configure settings on the page, then click Save.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select Exploit Prevention.
3. Click the name of an editable policy.
4. Click Show Advanced.
5. Verify that Exploit Prevention is enabled.
6. Perform one of the following:
To... Do this...
20 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
To... Do this...
1. Specify custom unwanted programs for the on-access and on-demand scanners to detect in the Options policy settings.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 21
2. Enable unwanted program detection and specify actions to take when detections occur in these settings:
◦ On-Access Scan policy settings
◦ On-Demand Scan policy settings
◦ Custom On-Demand Scan client task settings
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select Options.
3. Click the name of an editable policy.
4. Click Show Advanced.
5. From Potentially Unwanted Program Detections:
◦ Click Add to specify the name and optional description of a file or program to treat as a potentially unwanted program.
Note: The Description appears as the detection name when a detection occurs.
◦ Select an existing potentially unwanted program, then click Edit to modify the name or description, or click Delete to remove it
from the list.
◦ Click Delete All to remove all custom potentially unwanted programs from the list.
Task
1. Configure On-Access Scan policy settings.
a. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
b. From the Category list, select On-Access Scan.
c. Click the name of an editable policy.
d. Under Process Settings, for each On-Access Scan type, select Detect unwanted programs.
e. Under Actions, configure responses to unwanted programs.
2. Configure On-Demand Scan policy settings.
a. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
b. From the Category list, select On-Demand Scan.
c. Click the name of an editable policy.
d. For each scan type (Full Scan, Quick Scan, and Right-Click Scan):
◦ Select Detect unwanted programs.
◦ Under Actions, configure responses to unwanted programs.
3. Configure Custom On-Demand Scan client task settings.
a. Select Menu → Policy → Client Task Catalog.
b. Select Endpoint Security Threat Prevention 10.0.
22 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
c. Click New Task.
d. From Task Types, select Custom On-Demand Scan.
e. Under Scan Options, select Detect unwanted programs.
f. Under Actions, configure responses to unwanted programs.
Types of scans
Endpoint Security provides two types of scans: on-access scans and on-demand scans.
• On-access scan — The administrator configures on-access scans to run on managed computers.
Whenever files, folders, and programs are accessed, the on-access scanner intercepts the operation and scans the item, based
on criteria defined in the settings.
To configure on-access scans, use the On-Access Scan policy settings.
• On-demand scan
Manual The administrator (or user, for self-managed systems) configures predefined or custom on-demand scans
that users can run on managed computers.
◦ Run a predefined on-demand scan at any time from the Endpoint Security Client by clicking
, then selecting a scan type:
Quick Scan runs a quick check of the areas of the system most susceptible to infection.
Full Scan performs a thorough check of all areas of the system. (Recommended if you suspect the
computer is infected.)
Configure the behavior of these scans in the policy settings for On-Demand Scan.
◦ Scan an individual file or folder at any time from Windows Explorer by right-clicking the file or
folder and selecting Scan for threats from the pop-up menu.
To configure the Right-Click Scan behavior, use the On-Demand Scan policy settings.
◦ Configure and run a custom on-demand scan as administrator from the Endpoint Security Client:
◦ Select Settings → Common → Tasks.
◦ Select the task to run.
◦ Click Run Now.
Scheduled The administrator (or user, for self-managed systems) configures and schedules on-demand scans to run
on computers.
When a scheduled on-demand scan is about to start, Endpoint Security displays a scan prompt at the
bottom of the screen. You can start the scan immediately or defer the scan, if configured.
To configure and schedule on-demand scans, use these client task settings:
◦ Custom On-Demand Scan — Configures and schedules custom on-demand scans, such as daily
memory scans.
◦ Policy-Based On-Demand Scan — Schedules the predefined Quick Scan and Full Scan on-demand scans.
Configure the behavior of these scans in the policy settings for On-Demand Scan.
The Options policy includes settings that apply to all scan types.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 23
How McAfee GTI works
If you enable McAfee GTI for the on-access or on-demand scanner, the scanner uses heuristics to check for suspicious files.
The scanner submits fingerprints of samples, or hashes, to a central database server hosted by McAfee Labs to determine if they
are malware. By submitting hashes, detection might be made available sooner than the next content file update, when McAfee
Labs publishes the update.
You can configure the sensitivity level that McAfee GTI uses when it determines if a detected sample is malware. The higher the
sensitivity level, the higher the number of malware detections. But, allowing more detections can result in more false positive
results. The McAfee GTI sensitivity level is set to Medium by default. Configure the sensitivity level for each scanner in the On-Access
Scan and On-Demand Scan settings.
You can configure Endpoint Security to use a proxy server for retrieving McAfee GTI reputation information in the Common
settings.
For frequently asked questions about McAfee GTI, see KB53735.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select Options.
3. Click the name of an editable policy.
4. Configure settings on the page, then click Save.
24 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
When writing to disk ("Write scan")
Caution: The Write scan option doesn't prevent access to files, either before or after scanning, and so can leave your system
vulnerable to attack.
When you select Write scan, the scanner examines the file only after it has been written to disk and closed. A process can
perform a Read, Open, or Execute operation on the file before the scanner can perform a Write scan, potentially resulting in
infection. Applications might also encounter SHARING_VIOLATION errors if they access the file again after writing it, while a Write
scan is in progress.
The on-access scanner examines when files are:
• Created or changed on the local hard drive.
• Copied or moved from a mapped drive to the local hard drive (if the On network drives option is also enabled).
• Copied or moved from the local hard drive to a mapped drive (if the On network drives option is also enabled).
Read scan
When Read scan is selected and an attempt is made to read, open, or execute a file:
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 25
For example, if the action is to clean the file, the scanner:
◦ Uses information in the currently loaded AMCore content file to clean the file.
◦ Records the results in the activity log.
◦ Notifies the user that it detected a threat in the file, and prompts for the action to take (clean or delete the file).
Write scan
Note: The scanner examines the file only after it is written to disk and closed.
When Write scan is selected and a file is written to disk:
26 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Choose performance options
Some scan options can negatively affect system performance. For this reason, select these options only if you need to scan
specific items. Select or deselect these options in the On-Access Scan settings.
• Scan processes on service startup and content update — Rescans all processes that are currently in memory each time:
◦ You re-enable on-access scans.
◦ Content files are updated.
◦ The system starts.
◦ The McShield.exe process starts.
Because some programs or executables start automatically when you start your system, deselect this option to improve system
startup time.
• Scan trusted installers — Scans MSI files (installed by msiexec.exe and signed by McAfee or Microsoft) or Windows Trusted Installer
service files.
Deselect this option to improve the performance of large Microsoft application installers.
About ScriptScan
ScriptScan is a Browser Helper Object that examines JavaScript and VBScript code for malicious scripts before they execute. If the
script is clean, it passes to JavaScript or VBScript for handling. If ScriptScan detects a malicious script, it blocks the script from
executing.
Note: ScriptScan examines scripts for Internet Explorer only. It doesn't look at scripts system-wide and doesn't examine scripts
run by wscript.exe or cscript.exe.
When Threat Prevention is installed, the first time that Internet Explorer starts, a prompt to enable one or more McAfee add-ons
appears. For ScriptScan to scan scripts:
• The Enable ScriptScan setting must be selected. ScriptScan is disabled by default.
• The add-on must be enabled in the browser.
Caution: If ScriptScan is disabled when Internet Explorer is launched and then is enabled, it doesn't detect malicious scripts in
that instance of Internet Explorer. You must restart Internet Explorer after enabling ScriptScan for it to detect malicious scripts.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 27
• If the script is clean, the script scanner passes the script to the native Windows Script Host.
• If the script contains a potential threat, the script scanner prevents the script from executing.
28 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Configure On-Access Scan policy settings
These settings enable and configure on-access scanning, which includes specifying messages to send when a threat is detected
and different settings based on process type.
Note: See the Help for the Threat Prevention Options settings for more scan configuration options.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select On-Access Scan.
3. Click the name of an editable policy.
4. Click Show Advanced.
5. Select Enable On-Access Scan to enable the on-access scanner and modify options.
6. Specify whether to use Standard settings for all processes, or different settings for high-risk and low-risk processes.
◦ Standard settings — Configure the scan settings on the Standard tab.
◦ Different settings based on process type — Select the tab (Standard, High Risk, or Low Risk) and configure the scan settings for
each process type.
7. Configure settings on the page, then click Save.
1. The on-demand scanner uses the following criteria to determine if the item must be scanned:
◦ The file extension matches the configuration.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 29
◦ The file hasn't been cached, excluded, or previously scanned (if the scanner uses the scan cache).
Note: If you configure McAfee GTI, the scanner uses heuristics to check for suspicious files.
2. If the file meets the scanning criteria, the scanner compares the information in the item to the known malware signatures in
the currently loaded AMCore content files.
◦ If the file is clean, the result is cached, and the scanner checks the next item.
◦ If the file contains a threat, the scanner takes the configured action.
For example, if the action is to clean the file, the scanner:
◦ Uses information in the currently loaded AMCore content file to clean the file.
◦ Records the results in the activity log.
◦ Notifies the user that it detected a threat in the file, and includes the item name and the action taken.
Windows 8 and 10 — If the scanner detects a threat in the path of an installed Windows Store app, the scanner marks it as
tampered. Windows adds the tampered flag to the tile for the app. When you attempt to run it, Windows notifies you of the
problem and directs you to the Windows Store to reinstall.
3. If the item doesn't meet the scanning requirements, the scanner doesn't check it. Instead, the scanner continues until all data
is scanned.
The on-demand scan detection list is cleared when the next on-demand scan starts.
Threat Prevention flushes the global scan cache and rescans all files when an Extra.DAT is loaded.
30 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
on-demand scanner never runs. To work around this issue, users can start McTray (in C:\Program Files\McAfee\Agent\mctray.exe,
by default) manually when they log on using RDP.
Select Scan only when the system is idle in the Performance section of the Custom On-Demand Scan client task settings.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 31
Setting the system utilization for the scan to Low provides improved performance for other running applications. The low setting
is useful for systems with end-user activity. Conversely, by setting the system utilization to Normal, the scan completes faster. The
normal setting is useful for systems that have large volumes and little end-user activity.
Note: Each task runs independently, unaware of the limits for other tasks.
Below normal Sets the system utilization for the scan to the Below normal
McAfee ePO default value.
Normal (Default) Enables the scan to complete faster. Select this Normal
option for systems that have large volumes and
little end-user activity.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select On-Demand Scan.
3. Click the name of an editable policy.
4. Click a tab to configure settings for the specified scan.
◦ Full Scan
◦ Quick Scan
◦ Right-Click Scan
5. Configure settings on the page, then click Save.
32 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Run Full Scan and Quick Scan client tasks from McAfee ePO
To run a predefined Full Scan or Quick Scan from McAfee ePO, assign a Policy-Based On-Demand Scan client task to computers in the
System Tree.
Configure the behavior of these scans in the policy settings for On-Demand Scan.
Task
1. (Optional) Configure the behavior for the scan in the On-Demand Scan policy settings.
2. Select Menu → Policy → Client Task Catalog.
3. From Client Task Types, select Endpoint Security Threat Prevention → Policy Based On-Demand Scan.
4. Under Actions for the scan type, click the Assign link, specify the computers to assign the task to, then click OK.
5. Click 2 Schedule to schedule the task, then click Save.
See McAfee ePO Help for schedule information and the Client Task Assignment Builder.
Task
1. Open the Endpoint Security Client.
2. From the Action menu , select Settings.
3. Click Show Advanced.
4. From Common, click Tasks.
5. Configure scan task settings on the page.
Change a scan task. ◦ Double-click the task, make your changes, then click OK to save the task.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 33
To... Follow these steps
By default, the Full Scan is scheduled to run every Wednesday at 12 midnight. The Quick Scan is
scheduled to run every day at 7 p.m. The schedules are enabled.
Run a scan task. ◦ Select the task, then click Run Now.
If the task is already running, including paused or deferred, the button changes to View.
If you run a task before applying changes, Endpoint Security Client prompts you to save the settings.
Task
1. Select Menu → Policy → Client Task Catalog.
2. From Client Task Types, select Endpoint Security Threat Prevention → Custom On-Demand Scan.
3. Click the name of an existing client task or click New Task.
4. Make sure that Custom On-Demand Scan is selected, then click OK.
5. Configure the settings and click Save.
6. Under Actions, click the Assign link, specify the computers to assign the task to, then click OK.
7. Click 2 Schedule to schedule the task, then click Save.
See McAfee ePO Help for schedule information and the Client Task Assignment Builder.
34 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Scanning active user workstations
Because some locations on active user workstations are often targets of malware attacks, McAfee recommends that you scan
these workstations more frequently than other systems. Because the locations are limited, the scans are less likely to affect
users.
To scan active user workstations, configure a Custom On-Demand Scan:
Note: To improve system performance during on-demand scans of All local drives, set System utilization to Below Normal or Low.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 35
Managing Threat Prevention
Manage Threat Prevention by responding to threat detections, managing quarantined items, and periodically analyzing your
protection.
Task
1. Select Menu → Policy → Client Task Catalog.
2. From Client Task Types, select Endpoint Security Threat Prevention → Remove AMCore Content.
3. Click the name of an existing client task or click New Task.
4. Make sure that Roll Back AMCore Content is selected, then click OK.
5. Configure the settings and click Save.
6. Under Actions, click the Assign link, specify the computers to assign the task to, then click OK.
7. Click 2 Schedule to schedule the task, then click Save.
See McAfee ePO Help for schedule information and the Client Task Assignment Builder.
Task
1. Open the Endpoint Security Client.
2. From the Action menu , select Roll Back AMCore Content.
3. From the drop-down, select the version to load.
4. Click Apply.
Results
The detections in the loaded AMCore content file take effect immediately.
36 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Use Extra.DAT files
You can install an Extra.DAT file to protect client systems against a major malware outbreak until the next scheduled AMCore
content update is released.
Task
1. Click the download link, specify a location to save the Extra.DAT file, then click Save.
2. If necessary, unzip the EXTRA.ZIP file.
3. Deploy the Extra.DAT file with McAfee ePO or directly to a standalone client system with Endpoint Security Client.
Task
1. Select Menu → Software → Master Repository.
2. Select Actions → Check in Packages.
3. Select Extra DAT (.DAT), browse to the location where you downloaded the file, then click Open.
4. Confirm your selection, then click Next.
The Master Repository page displays the new content package in the Name column.
5. Replicate the Extra.DAT file to mirror sites, if applicable. Run a McAfee Agent Mirror Repositories client task.
Tip: Best practice: When you finish using the Extra.DAT file, remove it from the Master Repository and run a Mirror Repositories client
task to remove it from distributed repositories. Removing the Extra.DAT file prevents Threat Prevention clients from
downloading it during an update. By default, detection for the new threat in the Extra.DAT file is ignored once the new
detection definition is added to the daily content files.
6. Deploy the Extra.DAT file to client systems using a McAfee Agent Product Update client task.
7. Send an agent wake-up call to update the client systems with the Extra.DAT file.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 37
Load an Extra.DAT file on a standalone client system
To install the downloaded Extra.DAT file on a standalone client system, use Endpoint Security Client.
Task
1. Open the Endpoint Security Client.
2. From the Action menu , select Load Extra.DAT.
3. Click Browse, navigate to the location where you downloaded the Extra.DAT file, then click Open.
4. Click Apply.
Results
The new detections in the Extra.DAT take effect immediately.
Responding to detections
When a threat occurs, the Threat Prevention configuration determines the threat detection method and response.
If Threat Prevention is configured to clean automatically (the suggested default setting), the resulting action depends on the
cleaning instruction from the content file. For example, if the file can't be cleaned, the scanner might either delete the file or take
the secondary action, depending on the content file instruction.
1. Review the log file to determine which system access points were violated and which rules detected the violations.
2. Configure the Access Protection rules to allow users access to legitimate items and prevent users from accessing protected items.
Unwanted processes • If the rule reported the violation in the log file, but didn't block the violation, select
• If the rule blocked the violation, but didn't report the violation in the log file, select
• If the rule blocked the violation and reported it in the log file, no action is necessar
• If you find an unwanted process that wasn't detected, edit the rule to include it as
Legitimate processes • If the rule reported the violation in the log file, but didn't block the violation, desele
• If the rule blocked the violation and reported it in the log file, edit the rule to exclud
38 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Buffer overflow detections
When a buffer overflow exploit detection occurs, Exploit Prevention blocks the detection.
Review the information in the activity log to decide whether to create an exclusion.
If the detected process is one that you legitimately use, or a false positive, create an exclusion using the information in the
prompt:
1. Review the information in the Name column to determine the name of the process that owns the writable memory that is
making the call.
2. Create an exclusion for the process in the Exploit Prevention policy settings.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 39
On-demand scan detections
When an on-demand detection occurs, the scanner response depends on the type of on-demand scan. For custom on-demand
scans, the scanner uses Custom On-Demand Scan client task settings. For policy-based on-demand scans, the scanner uses On-Demand
Scan policy settings.
Review the information in the log file to decide whether to take more actions:
• Fine-tune items to scan.
To make scanning more efficient, exclude legitimate files and delete known threats from the quarantine.
• Configure the scanner to prompt for action.
• Configure the scanner to perform actions on files.
◦ Continue scanning — Continues scanning when a threat is detected.
◦ Clean files — Removes the threat from the detected file, if possible.
Tip: Best practice: Threat Prevention uses information in the content file to clean files. If the content file has no
cleaner or the file is damaged beyond repair, the scanner performs the second response (delete or deny access), if
applicable. In this case, restore the file from a clean backup copy.
◦ Delete — Deletes the item that contains the threat.
• Submit a sample to McAfee Labs for analysis.
If you find a false positive or a false negative, submit a sample of the threat to McAfee Labs.
Quarantined items
Threat Prevention cleans or deletes items that are detected as threats and saves copies in a non-executable format to the
Quarantine folder.
Note: Quarantined items can include various types of scanned objects, such as files, registries, or anything that Threat
Prevention scans for malware.
You can perform actions on quarantined items. For example, you might be able to restore an item after downloading a later
version of AMCore content that contains information that cleans the threat.
Task
1. Select Menu → Policy → Policy Catalog, then select Endpoint Security Threat Prevention from the Product list.
2. From the Category list, select Options.
3. Click the name of an editable policy.
4. Configure the Quarantine Manager settings.
40 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Restore quarantined items using McAfee ePO client tasks
Restore individual items from the Quarantine.
Task
1. Select Menu → Policy → Client Task Catalog.
2. From Client Task Types, select Endpoint Security Threat Prevention → Restore from Quarantine.
3. Click the name of an existing client task or click New Task.
4. Configure the settings and click Save.
5. Under Actions, click the Assign link, specify the computers to assign the task to, then click OK.
6. Click 2 Schedule to schedule the task, then click Save.
See McAfee ePO Help for schedule information and the Client Task Assignment Builder.
Task
1. Open the Endpoint Security Client.
2. Click Quarantine on the left side of the page.
The page shows any items in the Quarantine.
Note: If the Endpoint Security Client can't reach the Quarantine Manager, it displays a communication error message. In this case,
restart the system to view the Quarantine page.
3. Select an item from the top pane to display the details in the bottom pane.
To... Do this
Change the relative sizes of the panes. Click and drag the sash widget between the panes.
Sort items in the table by threat name or type. Click the table column heading.
Delete items from the quarantine. Select items, click Delete, then click Delete again to confirm.
Note: Deleted items can't be restored.
Restore items from the quarantine. Select items, click Restore, then click Restore again to confirm.
Endpoint Security restores items to the original location and
removes them from the quarantine.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 41
To... Follow these steps
Note: If an item is still a valid threat, Endpoint Security
returns it to the quarantine the next time the item is
accessed.
View an item in the Event Log. Select an item, then click the View in Event Log link in the details
pane.
The Event Log page opens, with the event related to the
selected item highlighted.
Get more information about a threat. Select an item, then click the Learn more about this threat link in
the details pane.
A new browser window opens to the McAfee Labs website
with more information about the threat that caused the
item to be quarantined.
Detection names
On-access and on-demand scans report threats by detection name.
Keylogger Intercepts data between the user entering it and the intended
recipient application. Trojan horse and potentially unwanted
program keylogger might be functionally identical. McAfee
software detects both types to prevent privacy intrusions.
Potentially unwanted program Includes often legitimate software (non-malware) that might
alter the security state or privacy posture of the system. This
42 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Detection name Description
software can be downloaded with a program that the user
wants to install. It can include spyware, adware, keylogger,
password crackers, hacker tools, and dialer applications.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 43
Between when a threat was originally detected and the rescan performed, scanning conditions can change, which can affect the
detection of quarantined items.
When rescanning quarantined items, Endpoint Security always:
• Scans MIME-encoded files.
• Scans compressed archive files.
• Forces a McAfee GTI lookup on items.
• Sets the McAfee GTI sensitivity level to Very high.
Note: Even using these scan settings, the quarantine rescan might fail to detect a threat. For example, if the item's metadata
(path or registry location) changes, rescanning might produce a false positive even though the item is still infected.
44 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
For information, see the McAfee ePO Help.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 45
Monitoring activity in your environment
An important step in a protection strategy is using tools to monitor the malware events that occur on your systems.
Endpoint Security Threat Prevention: Content Status Version of the AMCore Content and the number
of systems with that version installed.
Endpoint Security Threat Prevention: Exploit Prevention Content Version of the Exploit Prevention Content and
Status the number of systems with that version
installed.
Endpoint Security Threat Prevention: Duration of Completed Full Number of completed Full Scan system scans by
Scans in the Last 7 Days time in hours (from less than 1 hour to greater
than 12 hours) and the number of systems per
duration.
For each duration, this monitor shows:
• Scan start and end time
• System name
• Last communicated time
Endpoint Security Threat Prevention: Duration of Completed Number of completed Quick Scan system scans by
Quick Scans in the Last 7 Days time in hours (from less than 10 minutes to
greater than an hour) and the number of
systems per duration.
46 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Dashboard Monitor Shows...
For each duration, this monitor shows:
• Scan start and end time
• System name
• Last communicated time
In addition to the predefined Threat Prevention dashboards, Threat Prevention contributes monitors to several Common
dashboards.
Endpoint Security Threat Prevention: Access Protection Number of systems with Access Protection
Compliance Status enabled or disabled.
Endpoint Security Threat Prevention: AMCore Content Number of systems with the AV Content
Compliance Status Manager enabled or disabled.
Endpoint Security Threat Prevention: Exploit Prevention Number of systems with Exploit Prevention
Compliance Status enabled or disabled.
Endpoint Security Threat Prevention: On-Access Scan Number of systems with on-access scanner
Compliance Status protection enabled or disabled.
Endpoint Security Threat Prevention: Hotfixes Installed Number of systems with Threat Prevention
hotfixes installed, including hotfix version
numbers.
Endpoint Security Threat Prevention: Applications with the Most Applications with the most buffer overflow
Exploits in the Last 7 Days exploits, including the number of detections.
Custom dashboards
Depending on your permissions, you can create custom dashboards and add monitors using predefined Endpoint Security
queries.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 47
You can view query data only for resources where you have permissions. For example, if your permissions grant access to a
specific System Tree location, your queries return data only for that location.
The module adds predefined queries to McAfee Groups. Depending on your permissions, you can use them as is, modify them, or
create custom queries from events and properties in the McAfee ePO database.
Predefined queries
• Endpoint Security Threat Prevention: Access Protection Compliance Status
• Endpoint Security Threat Prevention: AMCore Content Compliance Status
• Endpoint Security Threat Prevention: Applications with the Most Exploits in the Last 7 Days
• Endpoint Security Threat Prevention: Content Status
• Endpoint Security Threat Prevention: Detection Response Summary
• Endpoint Security Threat Prevention: Duration of Completed Full Scans in the Last 7 Days
• Endpoint Security Threat Prevention: Duration of Completed Quick Scans in the Last 7 Days
• Endpoint Security Threat Prevention: Exploit Prevention Compliance Status
• Endpoint Security Threat Prevention: Exploit Prevention Content Status
• Endpoint Security Threat Prevention: False Positive Mitigation Events
• Endpoint Security Threat Prevention: Hotfixes Installed
• Endpoint Security Threat Prevention: On-Access Scan Compliance Status
• Endpoint Security Threat Prevention: On-Access Scan McAfee GTI Sensitivity Level
• Endpoint Security Threat Prevention: On-Demand Full Scan McAfee GTI Sensitivity Level
• Endpoint Security Threat Prevention: On-Demand Quick Scan McAfee GTI Sensitivity Level
• Endpoint Security Threat Prevention: Right-Click Scan McAfee GTI Sensitivity Level
• Endpoint Security Threat Prevention: Systems Not Completed a Full Scan in the Last 7 Days
• Endpoint Security Threat Prevention: Systems Not Completed a Full Scan in the Last Month
• Endpoint Security Threat Prevention: Threat Count by Severity
• Endpoint Security Threat Prevention: Threats Detected Over the Previous 2 Quarters
• Endpoint Security Threat Prevention: Top 10 Access Protection Rules Broken
• Endpoint Security Threat Prevention: Top 10 Computers with the Most Detections
• Endpoint Security Threat Prevention: Top 10 Detected Threats
• Endpoint Security Threat Prevention: Top 10 Exploits Prevented
• Endpoint Security Threat Prevention: Top 10 Threat Sources
• Endpoint Security Threat Prevention: Top 10 Threats per Threat Category
• Endpoint Security Threat Prevention: Top 10 Users with the Most Detections
Custom queries
The module adds predefined properties to the Endpoint Security feature group. You can use these properties to create custom
queries.
Endpoint Security Endpoint Security Threat Prevention Access Protection Additional Reasons On-Access Scan Additional Reason
Systems
48 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Feature Group Result Type Property (Column) Property (Column)
For information about queries and reports, see the McAfee ePO Help.
Repository Pull Retrieves packages from the source site and place them in the Master Repository. Select
AMCore Content or Endpoint Security Exploit Prevention Content as a package type to retrieve
content updates automatically.
Purge Threat Event Log Purges threat event logs based on a query.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 49
Server task Description
Export Policies Downloads an XML file that contains the associated policy.
Export Queries Creates a query output file that can be saved or emailed.
For information about server tasks, see the McAfee ePO Help.
Task
1. Open the Endpoint Security Client.
2. Click Event Log on the left side of the page.
The page shows any events that Endpoint Security has logged on the system in the last 30 days.
If the Endpoint Security Client can't reach the Event Manager, it displays a communication error message. In this case, reboot the
system to view the Event Log.
3. Select an event from the top pane to display the details in the bottom pane.
To change the relative sizes of the panes, click and drag the sash widget between the panes.
4. On the Event Log page, sort, search, filter, or reload events.
The options that appear depend on how the scan is configured.
To... Steps
Search the event log. Enter the search text in the Search field and press Enter, or click Search.
The search is case-insensitive and searches all fields of the event log for the search
text. The event list shows all elements with matching text.
To cancel the search and display all events, click x in the Search field.
Filter events by severity or module. From the filter drop-down list, select an option.
To remove the filter and display all events, select Show all events from the drop-down
list.
Open the folder that contains the Click View Logs Folder.
log files.
50 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
To... Steps
Display a specific Enter a page number and press Enter or click Go.
page in the log.
By default, the Event Log displays 20 events per page. To display more events per page, select an option from the Events per page
drop-down list.
Macintosh /var/log
Each module, feature, or technology places activity or debug logging in a separate file. All modules place error logging in one file,
EndpointSecurityPlatform_Errors.log.
Enabling debug logging for any module also enables debug logging for the Common module features, such as Self Protection.
Threat Prevention Enabling debug logging for any Threat Prevention ThreatPrevention_Activity.log
technology also enables debug logging for the Endpoint
Security Client. ThreatPrevention_Debug.log
AccessProtection_Debug.log
ExploitPrevention_Debug.log
OnAccessScan_Debug.log
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 51
Module Feature or technology File name
• Right-Click Scan
Common EndpointSecurityPlatform_Errors.log
Contains error logs for all modules.
Macintosh Use MFE–AV to identify and filter Threat Prevention entries system.log
in the log files.
McAfeeSecurity.log
52 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Troubleshooting
Before you call McAfee support, read the information on the processes and tools that you can use to troubleshoot your Threat
Prevention configuration.
McAfee tools
You can download these tools from McAfee.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 53
Using the MER tool for troubleshooting
The MER (Minimum Escalation Requirements) tool collects McAfee data from Threat Prevention and other McAfee products from
your computer.
McAfee support uses this data to analyze and resolve your problem.
The information collected by the MER tool includes:
• Registry details
• File version details
• Files
• Event logs
• Process details
McAfee provides two versions of MER:
• WebMER runs on the client computer.
See How to use MER tools with supported McAfee products.
• MER tool for McAfee ePO uses McAfee ePO to run the MER tool on client computers.
See How to use the MER tool for McAfee ePO.
Task
1. From the Action menu, select Settings.
2. Click Threat Prevention, then click Show Advanced.
3. Click Exploit Prevention, then deselect Enable Exploit Prevention.
Is the original system problem fixed by disabling Exploit Prevention?
◦ Yes — Go to the McAfee support ServicePortal and search for a solution or contact McAfee support for help.
◦ No — Continue with the next step.
54 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
Before you begin
The interface mode for the Endpoint Security Client is set to Full access or you are logged on as administrator.
Task
1. From the Action menu, select Settings.
2. Click Threat Prevention, then click Show Advanced.
3. Click Access Protection, then deselect Enable Access Protection.
Is the original system problem fixed by disabling Access Protection?
◦ Yes — Go to the McAfee support ServicePortal and search for a solution or contact McAfee support for help.
◦ No — Continue with the next step.
Disable ScriptScan
The next step in disabling Threat Prevention is to disable ScriptScan from the Endpoint Security Client.
Task
1. From the Action menu, select Settings.
2. Click Threat Prevention, then click Show Advanced.
3. Click On-Access Scan, then deselect Enable ScriptScan.
Is the original system problem fixed by disabling ScriptScan?
◦ Yes — Go to the McAfee support ServicePortal and search for a solution or contact McAfee support for help.
◦ No — Continue with the next step.
Task
1. From the Action menu, select Settings.
2. Click Threat Prevention, then click Show Advanced.
3. Click On-Access Scan, then deselect Enable On-Access Scan.
Is the original system problem fixed by disabling on-access scans?
◦ Yes — Go to the McAfee support ServicePortal and search for a solution or contact McAfee support for help.
◦ No — Go to step 4.
4. Shut down and restart the system.
Is the original system problem fixed by restarting the system?
◦ Yes — Go to the McAfee support ServicePortal and search for a solution or contact McAfee support for help.
◦ No — Continue with the next step.
McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows 55
Remove the Threat Prevention module
The final step in disabling Threat Prevention is to completely remove Threat Prevention and restart the system.
Task
1. Remove Threat Prevention from the system.
See the McAfee Endpoint Security Installation Guide.
2. Restart the system.
Is the original system problem fixed by completely removing the Threat Prevention feature and restarting?
◦ Yes — The original system problem was probably related to Threat Prevention.
◦ No — Go to the McAfee support ServicePortal and search for a solution or contact McAfee support for help.
General
Why can some users on my network configure their own settings and others can't?
The administrator might have configured settings to lock the Endpoint Security Client interface. If so, users can't change
settings. In addition, Windows operating systems set different user permissions. See your Microsoft Windows
documentation for more information about user permissions.
Blocked programs
I installed Threat Prevention and now one of my programs doesn't work.
1. Review the Access Protection log file to determine if a rule blocked the program.
2. If you find the program listed in the log, enter it as an exclusion to the rule or disable the rule.
56 McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows
COPYRIGHT
Copyright © 2021 McAfee, LLC
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.