cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
therez
Level 9
Report Inappropriate Content
Message 1 of 4
‎05-28-2020 02:20 AM

Access Protection - Prevent creation of folder

Jump to solution

Hello.  Would anyone be able to point out if it's possible to create an AP rule to prevent the creation of a folder?  I've tried various syntax's but to no avail.

Thank you.

Labels (1)
0 Kudos
Reply
1 Solution

Accepted Solutions
ktankink
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎05-28-2020 12:27 PM

Re: Access Protection - Prevent creation of folder

Jump to solution

Blocking directory creation with an ENS Access Protection rule can be done.  Please refer to https://kc.mcafee.com/corporate/index?page=content&id=KB86577 for details.

Example:

  • Name: Block directory creation
  • Block/Report enabled
  • Executable: <blank> (to apply to any source process doing the creation)
  • Subrule
    • Name: <anything>
    • Subrule type: Files
    • Operation: Create
    • Targets: INCLUDE - FILE PATH - <target directory>
      • Example target: c:\temp\test1

To generate a directory:

c:\Temp>mkdir c:\temp\test1
Access is denied.

Log file:

2020-05-28 18:20:50.567Z|Activity|ApBl |mfeesp | 4140| 8668|AP |XModuleEvents.cpp(844) | TESTSYSTEM\administrator ran C:\Windows\System32\cmd.exe, which tried to access C:\temp\test1\, violating the rule "Block directory creation", and was blocked. For information about how to respond to this event, see KB85494.

 

Be careful with HOW you create a directory.  For example, if you're creating a directory using Windows Explorer, then you're creating a new directory name with the default "New folder" and then performing a RENAME operation to the target directory name (e.g., \test1\).  Your Access Protection rules would have to match this type of file activity; a simple 'mkdir' command doesn't do this.

View solution in original post

0 Kudos
Reply
3 Replies
rfranci
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎05-28-2020 02:28 AM

Re: Access Protection - Prevent creation of folder

Jump to solution

HI @therez ,

Thank you for reaching us on community.

Access Protection works based on process and files.

-Rohit Francis

0 Kudos
Reply
therez
Level 9
Report Inappropriate Content
Message 3 of 4
‎05-28-2020 02:35 AM

Re: Access Protection - Prevent creation of folder

Jump to solution

Hi Rohit

Thought as much but wanted to check, thank you for your clarification.

0 Kudos
Reply
ktankink
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎05-28-2020 12:27 PM

Re: Access Protection - Prevent creation of folder

Jump to solution

Blocking directory creation with an ENS Access Protection rule can be done.  Please refer to https://kc.mcafee.com/corporate/index?page=content&id=KB86577 for details.

Example:

  • Name: Block directory creation
  • Block/Report enabled
  • Executable: <blank> (to apply to any source process doing the creation)
  • Subrule
    • Name: <anything>
    • Subrule type: Files
    • Operation: Create
    • Targets: INCLUDE - FILE PATH - <target directory>
      • Example target: c:\temp\test1

To generate a directory:

c:\Temp>mkdir c:\temp\test1
Access is denied.

Log file:

2020-05-28 18:20:50.567Z|Activity|ApBl |mfeesp | 4140| 8668|AP |XModuleEvents.cpp(844) | TESTSYSTEM\administrator ran C:\Windows\System32\cmd.exe, which tried to access C:\temp\test1\, violating the rule "Block directory creation", and was blocked. For information about how to respond to this event, see KB85494.

 

Be careful with HOW you create a directory.  For example, if you're creating a directory using Windows Explorer, then you're creating a new directory name with the default "New folder" and then performing a RENAME operation to the target directory name (e.g., \test1\).  Your Access Protection rules would have to match this type of file activity; a simple 'mkdir' command doesn't do this.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC