Rule settings for McAfee Enterprise 8.8 (preliminary), mcafe8.8
McAfee is anti-virus software, and access protection is auxiliary. Therefore, its anti-virus is above all rules. The relationship between the anti-virus and rules is: the Anti-Virus is stronger than the rules, the file rules are stronger than the Registry rules, and the Registry rules are stronger than the port rules. However, the four have their own strengths and cooperate with each other to make full use of their comprehensive capabilities. Any unilateral and static comments are one-sided. Next, go to the topic.
1. wildcard characters
It is difficult to set rules for McAfee 8.8. The difficulty of wildcards is that it is difficult to 8.8 and does not support "? : \ "Indicates any drive letter. Take the WINDOWS and Program Files folders as an example. The following is a folder representation method:
* \ WINDOWS: WINDOWS folder under any drive letter (invalid in the process to be blocked ).
** \ WINDOWS: the WINDOWS folder under any drive letter (valid for all processes ).
* \ ** \ WINDOWS: the WINDOWS folder under any drive letter (valid for all processes ).
File wildcard representation:
* \ WINDOWS \ **: indicates all files in the multilevel directory of any drive letter in the WINDOWS folder (invalid in the process to be blocked ).
** \ WINDOWS \ **: indicates all files in the multilevel directory of any drive letter in the WINDOWS folder (valid for all processes ).
* \ ** \ WINDOWS \ **: indicates all files in the multilevel directory of any drive letter in the WINDOWS folder (all processes are valid ).
* \ WINDOWS \ ** \ *. *: indicates all files with suffixes In the multilevel directory of any drive letter in the WINDOWS folder (invalid in the process to be blocked ).
** \ WINDOWS \ ** \ *. *: indicates all files with suffixes In the multilevel directory of any drive letter in the WINDOWS folder (all processes are valid ).
* \ ** \ WINDOWS \ ** \ *. *: indicates all files with suffixes In the multilevel directory of any drive letter in the WINDOWS folder (all processes are valid ).
The wildcard expression of the folder Name:
Program Files *: indicates the Program Files folder and a folder with multiple arbitrary characters, including Program Files (x86 ).
PROGRA ~? :? Represents any single character, including 1, 2, 3, and 4. About PROGRA ~ 1. Baidu will know it at once.
* \ Program Files *\**\*. *: indicates all Files with suffixes In the multilevel directory of any drive letter Program Files and Program Files (x86) (invalid in the process to be blocked)
** \ Program Files ** \ *. *: indicates all Files with suffixes In the multilevel directories under any drive letter Program Files and Program Files (x86) (all processes are valid)
* \ ** \ Program Files *\**\*. *: indicates all Files with suffixes In the multilevel directory of any drive letter Program Files and Program Files (x86) (all processes are valid)
Process wildcard expression to include:
*: Indicates all processes.
**: Indicates all processes.
*. *: Indicates all processes with suffixes (solving the problem that the Sestem process cannot be discharged ).
Others :? : \ *: The root directory is valid.
Note: The above syntax is also valid in 8.7i.
Ii. rule setting ideas
Rules are used to assist anti-virus software in defending against unknown viruses. Different rules have different frameworks. The following are two defense ideas:
1. Divide trust zones, prohibit unauthorized operation of untrusted zone programs, and prevent unauthorized tampering of trust zone programs. The key to this idea is that the trust zone must be clean.
2. Create an absolute path whitelist. The whitelist allows operation and tampering. The key to this idea is that the whitelist must be accurate.
Note: There are currently blank rules in this idea. If you are interested, you can try it. System White List extraction ideas-install coffee in a pure system (different systems), remove all the coffee by default, and exclude the processed coffee list. All rules are not protected. Only check the report and perform various operations, finally, the absolute path White List is extracted from the report, which is common. Then, in the system where the application software is installed, you can get another white list. This list is personalized, and common software is still common.
3. Clean the PC and defend against entry attacks. That is to say, the program of the mobile device is prohibited from illegal operation and illegal download from the browser on the premise that the local machine is non-toxic.
Each of the above ideas can be very strict and relatively loose.
The following uses the first method as an example to set the McAfee 8.8 rule.
Iii. Preparations
1. Install McAfee 8.8 Enterprise Edition. For methods, steps, settings, and other related questions, refer to pin the post.
2. Divide the trust zone. My division is strict:
* \ ** Tool \**\*. *, * \ ** e-book \**\*. *, * \ 4KBrowser \**\*. *, * \ AloneSbck \**\*. *, * \ empire earth \**\*. *, * \ KangXiDict \**\*. *, * \ Program Files *\**\*. *, * \ PROGRA ~? \ ** \ *. *, * \ WINDOWS \**\*.*
Note: The Trust zone includes any system Program with a suffix under the drive letter, which is installed in Program Files, Program Files (x86) and non-Program Files. It is applicable to 32-bit and 64-bit applications, add * \ PROGRA ~? \ ** \ *. * Is used to run the old program in the early disk format of fat (although 99.99% is not required ). 4KBrowser four database book, AloneSbck four series, empire earth empire, KangXiDict Kangxi Dictionary, none of these can be removed in the settings below.
3. Collect and select a single rule to be set. This prevents large vulnerabilities in rules.
4. Arrange the rule framework.
(1) prohibit illegal operation of untrusted area programs: theoretically four rules are required: Prohibit untrusted area programs from accessing files, registry keys, registry values, and ports, in the "anti-virus outbreak control" of the default rule "prohibit unauthorized access to files", "Block read/write access to all shared resources" is the ultimate rule of coffee, "Block read/write access to all shared resources" is enabled. untrusted zone programs cannot touch the registry key, registry value, and port rules. Therefore, the other three rules do not add a limit to the user-defined rules.
(2) Protection of trust zone programs from illegal tampering: two types of rules are required-Protection of system programs and application software programs
(3) prohibit other risky operations, such as image hijacking, USB flash drive virus protection, and root directory protection.
Everything is ready. Let's get it done now!
Iv. Rule settings (McAfee 8.8 Text Version)
(1) default rule settings
Anti-Spyware standard protection
Rule name: Protect Internet Explorer favorites and settings
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Maximum protection against spyware
Rule name: Disable the installation of new CLSID, APPID, and TYPELIB
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: Prohibit all programs from running files from the Temp folder
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: Prohibit script execution from the Temp folder
Process to be included :? Script.exe
Process to be excluded: None
Anti-Virus standard protection
Rule name: Disable Registry Editor and Task Manager
Process to be included :*
Process to be excluded: None
Rule name: forbidden to Change User Permission Policy
Process to be included :*
Process to be excluded: * \ WINDOWS \**\*.*
Rule name: Prohibit remote creation/modification of executable files and configuration files
Process to be included: * (Win7 should be *. *; otherwise, the system genuine verification may fail)
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Rule name: Disable remote creation of automatic run files
Process to be included :*
Process to be excluded: None
Rule name: prohibit blocking. EXE and other executable file extensions
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: disables disguised Windows Processes
Process to be included :*
Process to be excluded: * \ WINDOWS \ Explorer. EXE
Rule name: Prohibit group email worms from sending emails
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: Disable IRC Communication
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: Disable tftp.exe
Process to be included :*
Process to be excluded: None
Anti-virus protection
Rule name: Prohibit Svchost from executing non-Windows executable files
Process to be included: svchost.exe
Process to be excluded: None
Rule name: protects phone book files from password and email address thieves
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Rule name: Disable registration of all file extensions
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Rule name: protects cached files from password and email address thieves
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Anti-virus outbreak control
Rule name: Set all shared items to read-only
Process to be included: system: remote
Process to be excluded: None
Rule name: block read/write access to all shared resources (that is, prohibit access to untrusted zone programs-files)
Process to be included :*.*
Process to be excluded: * \ ** tool \**\*. *, * \ ** e-book \**\*. *, * \ 4KBrowser \**\*. *, * \ AloneSbck \**\*. *, * \ empire earth \**\*. *, * \ KangXiDict \**\*. *, * \ Program Files *\**\*. *, * \ PROGRA ~? \ ** \ *. *, * \ WINDOWS \**\*.*
Note: The role of this rule is "prohibit access to files by untrusted zone programs ".
General standard protection
Rule name: prohibit modification of McAfee files and settings
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ McAfee \**\*. *, * \ WINDOWS \ ** \ system32 \ lsass.exe, * \ WINDOWS \ ** \ system32 \ services.exe ,*
\ WINDOWS \ ** \ system32 \ smss.exe, * \ WINDOWS \ ** \ system32 \ winlogon.exe, * \ WINDOWS \ regedit.exe, * \ WINDOWS \ system32 \ svchost.exe
Rule name: Disable modification of the McAfee Common Management Agent file and settings
Process to be included :*
Process to be excluded: * \ WINDOWS \ ** \ system32 \ lsass.exe, * \ WINDOWS \ ** \ system32 \ services.exe, * \ WINDOWS \ ** \ system32 \ smss.exe, * \ WINDOWS \ ** \ system32 \ winlogon.exe, * \ WINDOWS \ system32 \ svchost.exe, * \ Program Files * \ ** \ McAfee \**\*. *
Rule name: prohibit modification of McAfee Scan Engine files and settings
Process to be included :*
Process to be excluded: * \ WINDOWS \ ** \ system32 \ lsass.exe, * \ WINDOWS \ ** \ system32 \ services.exe, * \ WINDOWS \ ** \ system32 \ smss.exe, * \ WINDOWS \ ** \ system32 \ winlogon.exe, * \ WINDOWS \ system32 \ svchost.exe, * \ Program Files * \ ** \ McAfee \**\*. *, * \ WINDOWS \ Explorer. EXE
Rule name: protects Mozilla and FireFox files and settings
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: protects Internet Explorer Settings
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: Disable Browser Helper Objects and Shell Extensions Installation
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: Network Protection Settings
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Rule name: prohibit a public program from running files from the Temp folder
Process to be included: iexplore.exe
Process to be excluded: None
Rule name: Disable hcp url in Internet Explorer
Process to be included :*
Process to be excluded: None
Rule name: prevents the McAfee process from being terminated
Process to be included :*
Process to be excluded: None
Universal maximum protection
Rule name: do not register a program as automatic
Process to be included :*
Process to be excluded: * \ Program Files *\**\*.*
Rule name: do not register a program as a service
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Rule name: do not create an executable file in the Windows folder
Process to be included :*
Process to be excluded: None
Rule name: do not create an executable file in the Program Files * folder.
Process to be included :*
Process to be excluded: * \ Program Files * \ McAfee \ Common Framework \ FrameworkService.exe
Rule name: disable file startup from the Downloaded Program Files Folder
Process to be included :*
Process to be excluded: None
Rule name: Prohibit FTP Communication
Process to be included :*
Processes to be excluded: agentnt.exe, uninstall, alg.exe, uninstall, apache.exe, autoup.exe, avtask.exe, boxinfo.exe, cfgeng.exe, cleanup.exe, cmdagent.exe, dstest.exe, earthagent.exe, cmder.exe, f-secu *, f-secure automa *, firefox.exe, example, framepkg.exe, example, frameworks *, frminst.exe, fspex.exe, ftp://ftp.exe/, getdbhtp.exe, example *, google *, idsinst.exe, iexplore.exe, example, ilaunchr.exe, inetinfo.exe, inodist.exe, plugin, lsetup.exe, lucoms *, luupdate.exe, mcscancheck.exe, mcscript *, mctray.exe, illa.exe, example, naimserv.exe, example, netscp.exe, ofcservice.exe, opera.exe, paddsupd.exe, pasys *, pavagent.exe, pavsrv50.exe, pskmssvc.exe, setlicense.exe, sevinst.exe, sucer.exe, supdate.exe, thunde *. exe, tmlisten.exe, tomcat.exe, tomcat5.exe, tomcat5w.exe, tsc.exe, udaterui.exe, updaterui.exe, v3cfgu.exe, webproxy.exe
Rule name: Disable HTTP Communication
Process to be included :*.*
Process to be excluded :??? Setup.exe ,?? Setup.exe ,? Setup.exe, cmdbat.exe, example, agentnt.exe, example, alg.exe, example, apache.exe, autoup.exe, avtask.exe, backweb-*, boxinfo.exe, example, ccmexec.exe, example, cleanup.exe, cmdagent.exe, lele.exe, example, dstest.exe, dwwin.exe, earthagent.exe, eudora.exe, assumer.exe, f-secu *, f-secure automa *, firefox.exe, FireSvc.exe, example, frameworks *, frminst.exe, fspex.exe, example, giantantispywa *, google *, idsinst.exe, iexplore.exe, kernel, ikernel.exe, kernel, inetinfo.exe, inodist.exe, kernel, kernel, javaw.exe, jucheck.exe, kernel, kwsmain.exe, kwsupd.exe, lsetup.exe, lucoms *, luupdate.exe, MAPISP32.exe, mcfeehip_clie *, McSACore.exe, mcscancheck.exe, mcscript *, mctray.exe, mmc.exe, mobsync.exe, mozilla.exe, msexcimc.exe, mshta.exe, msi *. tmp, msiexec.exe, msimn.exe, msn6.exe, retry, retry, naimserv.exe, retry, retry, neo20.exe, netscp.exe, nlnotes.exe, retry, retry, ofcservice.exe, opera.exe, outlook.exe, retry, retry, pasys *, pavagent.exe, pavsrv50.exe, pine.exe, poco.exe, pskmssvc.exe, quicktimeplaye *, realplay.exe, RESRCMON. EXE, runscheduled.exe, SAEDisable.exe, SAEuninstall.exe, setlicense.exe, setup *. exe, setup.exe, Setup_SAE.exe, sevinst.exe, SiteAdv.exe, SPSNotific *, sucer.exe, supdate.exe, svchost.exe, thebat.exe, thunde *. exe, tmlisten.exe, tomcat.exe, tomcat5.exe, tomcat5w.exe, tsc.exe, udaterui.exe, uninstall.exe, update.exe, updaterui.exe, v3cfgu.exe, VMIMB. EXE, vmnat.exe, waol.exe, webproxy.exe, wfica32.exe, winamp.exe, windbg.exe, WinMail.exe, winpm-32.exe, wmplayer.exe, wuauclt.exe, _ ins *. _ mp
Virtual Machine Protection
Rule name: prevents the VMWare process from being terminated
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Rule name: prohibit modification of VMWare Workstation files and settings
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Rule name: prohibit modification of VMWare Server files and settings
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
Rule name: prohibit modification of VMWare Virtual Machine files
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ WINDOWS \**\*.*
(2) running user-defined rules (this part can be set selectively without requiring completeness)
1. Prohibit untrusted zone programs (this Part may not exist. For the reason, see the previous "rule framework ")
1.01 rule name: Prohibit Access by untrusted zone programs-File
Process to be included :*
Process to be excluded: * \ ** tool \**\*. *, * \ ** e-book \**\*. *, * \ WINDOWS \**\*. *, * \ 4KBrowser \**\*. *, * \ AloneSbck \**\*. *, * \ empire earth \**\*. *, * \ KangXiDict \**\*. *, * \ Program Files *\**\*. *, * \ PROGRA ~? \**\*.*
Name of the file or folder to be blocked :**\*
Files to be banned: read, write, execute creation, and delete
1.01 rule name: Prohibit Access by untrusted area programs-Registry (item)
Process to be included :*
Process to be excluded: * \ ** tool \**\*. *, * \ ** e-book \**\*. *, * \ WINDOWS \**\*. *, * \ 4KBrowser \**\*. *, * \ AloneSbck \**\*. *, * \ empire earth \**\*. *, * \ KangXiDict \**\*. *, * \ Program Files *\**\*. *, * \ PROGRA ~? \**\*.*
The registry project or registry value to be protected: HKALL /**
Registry key or registry value to be protected: Key
Registry to be blocked: Write, create, delete, and delete
1.02 rule name: Prohibit Access by untrusted area programs-Registry (value)
Process to be included :*
Process to be excluded: * \ ** tool \**\*. *, * \ ** e-book \**\*. *, * \ WINDOWS \**\*. *, * \ 4KBrowser \**\*. *, * \ AloneSbck \**\*. *, * \ empire earth \**\*. *, * \ KangXiDict \**\*. *, * \ Program Files *\**\*. *, * \ PROGRA ~? \**\*.*
The registry project or registry value to be protected: HKALL /**
Registry key or registry value to be protected: Key
Registry to be blocked: Write, create, delete, and delete
1.03 rule name: Prohibit Access to untrusted zone programs-Port
Process to be included :*.*
Processes to be excluded: worker, cmdagent.exe, FireSvc.exe, FrameworkService.exe, ijavase.exe, worker, kwsmain.exe, kwstray.exe, kwsupd.exe, McScript_InUse.exe, sppsvc.exe, svchost.exe, Thunder *. exe
Port to be blocked: 1-65535
Direction: Inbound and Outbound
2. Protect key parts of the trust zone (this part must be available)
2.01 rule name: protects COM files in windows
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ windows \ ** \ *. com
File to be banned: Write to create
2.02 rule name: protects the VXD driver in windows
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ windows \ ** \ *. vxd
File to be banned: Create
2.03 rule name: protects the DRV driver in windows
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ windows \ ** \ *. drv
File to be banned: Create
2.04 rule name: protects OCX controls in windows
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ windows \ ** \ *. ocx
File to be banned: Write to create
2.05 rule name: protects EXE files in windows
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ McAfee \ ** \ *. *, * \ WINDOWS \ system32 \ Rundll32.exe
Name of the file or folder to be blocked: ** \ WINDOWS \ ** \ *. exe
File to be banned: Write to create
2.06 rule name: protects DLL files in windows
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ McAfee \**\*.*
Name of the file or folder to be blocked: ** \ WINDOWS \ ** \ *. dll
File to be banned: Write to create
2.07 rule name: protects PIF files in windows
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ windows \ ** \ *. pif
File to be banned: Write to create
2.08 rule name: protects SCR files in windows
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ windows \ ** \ *. scr
File to be banned: Write to create
2.09 rule name: protects the SYS driver in windows
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ windows \ ** \ *. sys
File to be banned: Create
2.10 rule name: Protect COM Files under Program Files *
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ Program Files * \ ** \ *. com
File to be banned: Write to create
2.11 rule name: Protect COM file 2 under Program Files *
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: E: \ ** \ *. com
File to be banned: Write to create
Note: My four database books and large software are all installed on the E disk to prevent E: \ ** \ *. com from being completely covered. You can simply remove this type without it. The same below.
2.12 rule name: Protect the SCR file under Program Files *
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ Program Files * \ ** \ *. scr
File to be banned: Write to create
2.13 rule name: Protect SCR file 2 under Program Files *
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: E: \ ** \ *. scr
File to be banned: Write to create
2.14 rule name: Protect PIF Files under Program Files *
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ Program Files * \ ** \ *. pif
File to be banned: Write to create
2.15 rule name: Protect PIF file 2 under Program Files *
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: E: \ ** \ *. pif
File to be banned: Write to create
2.16 rule name: Protect EXE Files under Program Files *
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ McAfee \**\*.*
Name of the file or folder to be blocked: ** \ Program Files * \ ** \ *. exe
File to be banned: Create
2.17 rule name: Protect EXE file 2 under Program Files *
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ McAfee \**\*.*
Name of the file or folder to be blocked: E: \ ** \ *. exe
File to be banned: Create
2.18 rule name: Protect DLL Files under Program Files *
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ McAfee \**\*.*
Name of the file or folder to be blocked: ** \ Program Files * \ ** \ *. dll
File to be banned: Write to create
2.19 rule name: Protect DLL file 2 under Program Files *
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ McAfee \**\*.*
Name of the file or folder to be blocked: E: \ ** \ *. dll
File to be banned: Write to create
3. Other protection (this part can be selected)
3.01 rule name: Protect the root directory
Process to be included :*
Process to be excluded: * \ 4KBrowser \**\*. *, * \ AloneSbck \**\*. *, * \ empire earth \**\*. *, * \ KangXiDict \**\*. *, * \ Program Files *\**\*. *, * \ PROGRA ~? \ ** \ *. *, * \ WINDOWS \**\*.*
Name of the file or folder to be blocked :? :\*
Files to be banned: Write, create, and delete files
3.02 rule name: prohibit unauthorized modification of EXE files on the local machine
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ PROGRA ~? \**\*. *, * \ AloneSbck \**\*. *, * \ KangXiDict \**\*. *, * \ 4KBrowser \**\*. *, * \ empire earth \**\*. *
Name of the file or folder to be blocked: ** \ *. exe
File to be banned: Write
3.03 rule name: prohibit the execution of TMP files illegally on the local machine
Process to be included :*
Process to be excluded: * \ Program Files * \ ** \ *. *, * \ PROGRA ~? \**\*. *, * \ Windows \ system32 \ svchost.exe, * \ AloneSbck \**\*. *, * \ KangXiDict \**\*. *, * \ 4KBrowser \**\*. *, * \ empire earth \**\*. *
Name of the file or folder to be blocked: ** \ *. tmp
File to be disabled: Run
3.04 rule name: prohibit illegal creation of BAT files on the local machine
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ *. bat
File to be banned: Create
3.05 rule name: prohibit unauthorized script file execution on the local machine
Process to be included :? Script.exe
Process to be excluded: None
Name of the file or folder to be blocked :**\**
File to be disabled: Run
3.06 rule name: prohibit illegal creation of CPI files on the local machine
Process to be included :*
Process to be excluded: * \ WINDOWS \ javaser.exe, * \ ** \ Program Files * \ WinRAR \ WinRAR.exe
Name of the file or folder to be blocked: ** \ *. cpl
File Operation to be prohibited: Write, create, delete, and delete
3.07 rule name: prohibit illegal INI file creation on the local machine
Process to be included :*
Process to be excluded: * \ ** tool \**\*. *, * \ 4KBrowser \**\*. *, * \ AloneSbck \**\*. *, * \ empire earth \**\*. *, * \ KangXiDict \**\*. *, * \ Program Files *\**\*. *, * \ PROGRA ~? \ ** \ *. *, * \ WINDOWS \**\*.*
Name of the file or folder to be blocked: ** \ *. ini
File Operation to be prohibited: Write, create, delete, and delete
Note: This rule has some special features: The frameworkservice.exeand mcscript_inuse.exe processes are excluded to allow McAfee to upgrade the virus database. In addition, some common application software must be excluded. Many application software must be written into the INI file for daily use, therefore, it is excluded.
3.08 rule name: prohibit unauthorized creation of MSC files on the local machine
Process to be included :*
Process to be excluded: * \ WINDOWS \ javaser.exe, * \ ** \ Program Files * \ WinRAR \ WinRAR.exe
Name of the file or folder to be blocked: ** \ *. msc
File Operation to be prohibited: Write, create, delete, and delete
3.09 rule name: prohibit unauthorized creation of MSI files on the local machine
Process to be included :*
Process to be excluded: * \ WINDOWS \ javaser.exe, * \ ** \ Program Files * \ WinRAR \ WinRAR.exe
Name of the file or folder to be blocked: ** \ *. msi
File Operation to be prohibited: Write, create, delete, and delete
3.01 rule name: prohibit unauthorized VBS file creation on the local machine
Process to be included :*
Process to be excluded: * \ WINDOWS \ javaser.exe, * \ ** \ Program Files * \ WinRAR \ WinRAR.exe
Name of the file or folder to be blocked: ** \ *. vbs
File Operation to be prohibited: Write, create, delete, and delete
3.11 rule name: * autorun *. * forbidden for any operation
Process to be included :*
Name of the file or folder to be blocked: ** \ * autorun *.*
File Operation to be prohibited: read, write, execute creation, delete
Note: This rule is different from other rules in this series to Prevent Automatic Running of certain viruses.
3.12 rule name: do not modify the gho File
Process to be included :*
Name of the file or folder to be blocked: ** \ *. gho
File Operation to be prohibited: read, write, execute creation, delete
3.13 rule name: security mode setting
Process to be included :*
Process to be excluded: None
The registry project or registry value to be protected: HKLM/SYSTEM/* ControlSet */Control/SafeBoot /**
Registry key or registry value to be protected: Key
Registry to be blocked: Write, create, delete, and delete
3.14 rule name: prevents image hijacking
Process to be included :*
Process to be excluded: None
The registry project or registry value to be protected: HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options /**
Registry key or registry value to be protected: Key
Registry to be blocked: Write, create, delete, and delete
3.15 rule name: do not perform any operations on the registry using the Registry Editor and. reg file.
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ regedit.exe
File Operation to be prohibited: read, write, execute creation, delete
Note: you can disable regedit.exe‑regedt32.exe and. reg files to operate the registry and protect the registry from external access through file access.
3.16 rule name: prohibit the operation of the management tool
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ mmc.exe
File Operation to be prohibited: read, write, execute creation, delete
Note: management tools are important system tools.
3.17 rule name: run the format command to prohibit formatting
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ format .*
File Operation to be prohibited: read, write, execute creation, delete
Note: Protection against some formatting viruses
3.18 rule name: Disable the running of the net command
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ net *. exe
File Operation to be prohibited: read, write, execute creation, delete
Description: Protection against remote attacks
3.19 rule name: Prohibit at Command Execution
Process to be included :*
Process to be excluded: None
Name of the file or folder to be blocked: ** \ at.exe
File Operation to be prohibited: read, write, execute creation, delete
Description: Protection against remote attacks
3.20 rule name: Prohibit any remote operation
Process to be included: System: Remote
Process to be excluded: None
Name of the file or folder to be blocked :**\*
File Operation to be prohibited: read, write, execute creation, delete
Note: All remote behaviors are prohibited through file protection.
V. Rule Export
Run -- regedit -- BehaviourBlocking -- export. Location of BehaviourBlocking in different Microsoft operating systems:
XP and later versions: [HKEY_LOCAL_MACHINE \ SOFTWARE \ McAfee \ SystemCore \ VSCore \ On Access logging \ BehaviourBlocking]
64-bit: [HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ McAfee \ SystemCore \ VSCore \ On Access logging \ BehaviourBlocking]
6. Share rules
64-bit rules (set under Windows Server 2008 R2 ):
McAfee 8.8 tiannuo rule official edition 64-bit .rar
32-bit rule (the location of the 64-bit rule registry is modified ):
McAfee 8.8 standard version 32-bit .rar
XP rules (set in Windows XP ):
McAfee 8.8 tiannuo Rule Official version XP.rar
The above several small files have been packaged for the customer's house.
-
Software Name:
-
McAfee 8.8 Enterprise Edition rules official version 32/64-bit for xp, win7, 2008 Packaging
-
Software size:
-
16 KB
-
Updated on:
-
2016-09-04
Update description:
1. Delete duplicate rules;
2. adjust some wildcards to run smoothly and provide more comprehensive protection;
3. Revise a few rules to improve security;
4. Port rules are greatly changed. Please make good use of them;
5. The green software and e-books should be placed in the "** Tools" and "** e-books" Folders at any location. They can run normally and will not be red when it is not a bad thing;
6. Maintain style: regular, sedated, and delicate, secure and easy to use;
7. The text version in the post has not been significantly changed.
Rule import: Disable access protection and double-click the rule file.
Rule modification: import a rule. In the console, add, reduce, or modify processes including, exclude, and block in access protection, and export operations and reports, this rule is yours.