Mcafee EPO prevent exe RUNNING FROM %appdata%

by butsch 14. July 2015 04:04

Mcafee EPO prevent exe RUNNING FROM %appdata% folders with an Access protection Policy

How to protect from most 0day Flash Exploits and malware like Ransom Cryptowall in summer 2015. You simply can't keep up with patching even with deployment or

Management solutions in place. Now you should have an IPS Filter like Fortigate with Fortiguard. Fortigate is most of the times involved in detection of Flash Exploits so a good choice in that direction.

But the problems are SSL/HTTPS Virus of you can't break the stream because of legal concerns.

Here is a solution to strip it down by Mcafee but as always not clear in their documentation.

Sure this covers 80% but it will take out some heat. Another tip would be to use Microsoft EMET from ou side. There is also a GPO to prevent such things but this will take more time to setup.

 

Mcafee EPO Server Logon

Go to Clients

Assigned Policy

Access Protection Policy

Choose your "Policy" > "My Default"

Now the trick was the PATH. I am not sure but ONE Mcafee KB was wrong or not sol effective here.

We are still unsure if it has to be \ or / if you read their docu.

Well here is how it worked for us. We don't want to catch %appdata%\temp because there is already an

Options in mcafee itself for that and it was not a good idea with some customers and special apps.

01_APPDATA_ROAMING_BLOCK_EXE

avtask.exe, cfgwiz.exe, csscan.exe, dainstall.exe, EngineServer.exe, fssm32.exe, giantantispywa*, ienrcore.exe, kavsvc.exe, KillWia64.exe, mcdatrep.exe, mcscript*, mcshield.exe, mcupdate.exe, mfeann.exe, mfehidin.exe, msi*.tmp, msiexec.exe, mue_inuse.exe, navw32.exe, ncdaemon.exe, nmain.exe, Patch.log, regsvc.exe, rtvscan.exe, sdat*.exe, svchost.exe, TrolleyExpress.exe, VirusScanAdvancedServer.exe, vmscan.exe, VSE88HF793781.exe, \:::mcadmin.exe, \:::mcconsol.exe, \:::mcupdate.exe, \:::restartVSE.exe, \:::scan32.exe, \:::scncfg32.exe, \:::shcfg32.exe, \:::shstat.exe, \:::VSCore\dainstall.exe, \:::VSCore\x64\dainstall.exe, \:::vstskmgr.exe, \:::x64\scan64.exe

C:\users\**\appdata\local\**\*.exe

 

02_APPDATA_LOCALOW_BLOCK_EXE

avtask.exe, cfgwiz.exe, csscan.exe, dainstall.exe, EngineServer.exe, fssm32.exe, giantantispywa*, ienrcore.exe, kavsvc.exe, KillWia64.exe, mcdatrep.exe, mcscript*, mcshield.exe, mcupdate.exe, mfeann.exe, mfehidin.exe, msi*.tmp, msiexec.exe, mue_inuse.exe, navw32.exe, ncdaemon.exe, nmain.exe, Patch.log, regsvc.exe, rtvscan.exe, sdat*.exe, svchost.exe, TrolleyExpress.exe, VirusScanAdvancedServer.exe, vmscan.exe, VSE88HF793781.exe, \:::mcadmin.exe, \:::mcconsol.exe, \:::mcupdate.exe, \:::restartVSE.exe, \:::scan32.exe, \:::scncfg32.exe, \:::shcfg32.exe, \:::shstat.exe, \:::VSCore\dainstall.exe, \:::VSCore\x64\dainstall.exe, \:::vstskmgr.exe, \:::x64\scan64.exe

C:\users\**\appdata\local\**\*.exe

 

Some sample search patterns:

Find unwanted Google chrome.exe under %appdata%\local everwyhere

C:\users\**\appdata\local\**\chrome.exe

C:\users\**\appdata\local\**\gears-chrome-opt.msi

 

 

Check left corner FOR "Workstation" and for "Server"

Client side TEST

EPO side view

 

Original Link from Mcafee:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25480/en_US/McAfee_Labs_Threat_Advisory-Ransom_Cryptowall.pdf

Wildcard patterns mcafee:

https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Adobe:

https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

 

 

 

Tags:

Wie kann man eine DLL testweise auf einem Enteo Client ersetzen?

by butsch 13. July 2015 06:18

Wie kann man eine DLL oder ein File Testweise auf einem Enteo Client ersetzen? Wir haben heute eine DLL fuer einen DEV fix von Frontrange erhalten. Dann nach nachfragen noch einen Link zu einer KB welche einen Key beschreibt. Sollte jemand verstehen wo man es nun ändern soll oder darf kann er uns dies schildern. Eventuell in einer Zeichnung oder Schema?

WARNING Frontrange is now an English company (KB Artikel 12492)

Never use / change this key on a Management Point Server. This key must always be set on a Management Point Server because the client binary update is performed during Management Point update automatically.

 

Ersetzen einzeln TEST DLL bei Enteo Agent

  1. Beide Frontrange Service anhalten
  2. Registry KEY erstellen auf dem CLIENT
  3. Beide Frontrange Service neu starten
  4. Beide Frontrange Service anhalten
  5. DLL ersetzen (Rein filebasierend ohne Registrierung der DLL)
  6. Beide Frontrange Service Starten
  7. Kontrolle ob die beiden DLL nicht wieder ersetzt werden

Fix.reg, Dieser key muss auf dem DSM/Enteo/Frontrange client gesetzt werden

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetSupport\NetInstall\SiteProperties]

"ClientAutoUpdateEnabled"=dword:00000000

 

Beispiel Files ersetzen welche Enteo Kunden vom Support bekommen:

KB Artikel 12492

 

 

Tags:

Fine grained Password Policy on 2012R2 made easy with ADAC

by butsch 8. July 2015 06:17

ADAC = NOT Deutscher Pannendienst ;-)

Fine grained Password Policy in 2013 R2 Domain Active Directory, Error 4625 event

Sometimes you need accounts TO None expire or not getting Locked out. We all now it's stupid in security terms but if the software has a bug and locks the account you have to hurry. Search on ALL of the Domain Controller for event 4625. There you should see the client who does it. There also lockout/whoislocked scripts which does that. (Account locked)

The regular Domain password policy is here:

But we want a second one with different settings and only for a few users in a security group

New way with ADAC on 2012R2

http://blogs.technet.com/b/canitpro/archive/2013/05/30/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad.aspx

https://technet.microsoft.com/de-CH/library/hh831702.aspx

Old way with ADSIEDT.MSC

http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

https://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx

 

Make a new ADS group: sg_gpo_password_policy_bsb_non_locked and make the accounts which should have special password policy member of that group "Only user accounts"

Go to SYSTEM

Go to PASSSWORD Settings Container

 

Choose "Directly applies to" and make sure you choose the correct Security Group you made for this.

Under cmd on DC do a:

Repadmin /syncall

Its finished and working

CROSS CHECK old Method with ADSIEDT

 

 

Tags:

Frontrange Upgrade 7/2014.x/2015.1

by butsch 5. July 2015 23:20

Here is where to find the mentioned setting in Enteo/Frontrange for updates:

Configure the Polling Frequency for Package Preparation on the ORG Master Depot

The Polling Frequency for Package Preparation of the Distribution Service (in charge of the

ORG Master Share) should be reduced to 5 minutes to ensure the update packages are

prepared in a timely fashion. The default value is 120 minutes.

 

Tags:

Exchange 2010 EMC / Console Kerberos load quota 1000 of 2

by butsch 30. June 2015 06:45

It0s unclear from what this comes but we suspect scripts querying Exchange Objects in some form or a third party software

Which Querys some Exchange objects to fast. For some MDM/Blackberry solutions things where made open (Throttling). The client does not have Kerberos Authentication / SPS activated,.

Error:

The WS-Management service cannot process the request. The system load quota of 1000 requests per 2 seconds has been exceeded

Solve this with:

Cmd

Try:

Iisreset /noforce

If that get stucks full reset with:

Iisreset

Solved:

 

Tags: