by butsch
28. July 2022 17:01
Mcafee posted a fixed version of the 10.7 june 20202 release. Hidden in the release notes you will find an important detail.
You can now EXCLUDE Signature/Exploit/IPS rules FOR certain Active Directory users or group by SID.
This is like a WMI filter for GPO Grou Policy to drill down more granular and to target Exclusion more effectiv.
A main problem until now is the exclusion with MD5 checksum wiuld be the safest and usefull. However if you
Have slerf updating software (Like a RAPID 7 Agent) you have changing MD5 Checksum.
That's no problem if you have an enterprise and Mcafee TIE-Server and ATD Sandbox which automatic sess
That there are older version of the Agent in history and checks several other things and then aproves the file for running or not.
For Exlcusion this will help to limit an Exlcusion for a certain file (Whout the MD5) to limit the exclusion to a certain user group or single user.
If "financetoolstupidcoder.exe" does hit 20 Exploit rules because it was so crappy coded then you can exclude all the Signature based rules
For the single user with the SID 5654654634338998888 (Your CFO who gives IT money). ;-)
We would like to point out that mcafee has the large solution with ATD (TIE-Server, ATD-Sandbox) which allows you to controll
EXE wiht MD5 but in SBS or even a 1000+ shop you sometimes simply can't handle a strict change and release managment.
This will help us all a lot.
