I followed the solution from this thread: Solved: McAfee Enterprise Support Community - How to block Microsoft Store on McAfee ePo? - McAfee E...
Replace "WinStore.App.exe" with "msdt.exe." This effectively stops all execution of msdt.exe, which is not a necessary application (and now, is a red carpet attack vector). I have Endpoint Security (ENS), so I know those steps worked for me.
-------
To block the execution of Microsoft store msdt.exe, you should be having an endpoint product such as "Endpoint security " with Threat prevention module or "VirusScan Enterprise" installed in the EPO managed client machine.
To Block the execution of the an application we should know the process name. Hence, run the application and find the process name from the task manager . In this case, when I check from windows 10, it is "WinStore.App.exe" msdt.exe
Now, we will have to add the an "Access Protection" rule to block the execution of WinStore.App.exe msdt.exe
Note :
We recommend you to test this rule in one or two machines before applying it to complete organization. So, you will have to duplicate an existing policy .
How to duplicate the existing policy :
- Log on to EPO.
- Go to " Policy Catalog ".
- Endpoint Security Threat Prevention -> Access Protection ( If Endpoint security ).
VirusScan Enterprise 8.8.0 -> Access Protection policies (If VirusScan enterprise).
- Click "edit" on an existing policy .
- Click on "duplicate" button.
- Name the new policy (Eg:
WStore Microsoft zero-day fresh he77).
How to add the Access Protection rule to the duplicated policy for "VirusScan Enterprise":
- Log on to EPO.
- Go to " Policy Catalog ".
- Open the previously duplicated policy "
WStore Microsoft zero-day fresh he77" by clicking on "edit" . - Select "workstation" or "server" as per your requirement depending on the client machine.
- click on "User-defined Rules".
- Click "New".
- Select "file/folder blocking rule " -> OK.
- Under "file or folder name to block" enter the process name
WinStore.App.exe msdt.exe. - Select "File being executed ".
- Save the rule .
- Save the policy.
How to add the Access Protection rule to the duplicated policy for "Endpoint security":
- Log on to EPO.
- Go to " Policy Catalog ".
- Open the previously duplicated policy "
WStore Microsoft zero-day fresh he77" by clicking on "edit" . - Click on "Add" under "rules" section.
- Enter the policy name.
- Select the action "block" and "report".
- Click on "Add" under "Executables".
- Enter any name as per your wish, under "Name:" field.
- Enter "*" under File name or path field.
- Click on save.
- Scroll down to "subrules: "section.
- Click on "Add".
- Enter any name as per your wish under "Name:" field.
- Sub rule type : File.
- Select the below operations :
Execute
Rename
- Click on Add under targets.
- Under "File, folder name, or file path " section enter the process name
WinStore.App.exe. msdt.exe - Click on save.
- Save the entire policy.
Now, assign this policy to a single machine for testing:
- Go to system tree.
- Select a machine.
- Actions -> Agent -> Edit policy on a single system.
- Product : Endpoint Security Threat Prevention.
- Click on "Edit Assignment" for "Access Protection".
- Select "break inheritance and assign the policy and settings below".
- In the Assigned policy section select the policy "
Wstore Microsoft zero-day fresh he77" from the drop down. - Click on save.
Give a wakeup agent to the client machine.
From the client machine, make sure it received the policy.
Try to open the "windows store msdt.exe" application…..
It should be blocked.
Thank you for reaching us on community, Hope the above steps help you."
credit to @rfranci of McAfee
You Deserve an Award
