cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 9
‎01-24-2019 11:17 PM

Getting Self protection blocked rule

Jump to solution

Hi,

I am getting the blocked message as shown in the screenshot and we have to add .dll path in exclusion but If I will add the path in the exclusion is it Ok or do I need to do some exclusion in access protection rule since in the event its showing "Access Protection rule violation detected and blocked"

 

AP-Rule.JPG

 

 

 

 

 

 

Cna someone give me feedback

0 Kudos
Reply
2 Solutions

Accepted Solutions
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 9
‎01-25-2019 07:25 AM

Re: Getting Self protection blocked rule

Jump to solution

Hi @Former Member, 

Thanks for the info. 

So  should we select allow to the certificate which belongs to this dll file since there is no way we can exclude dll Or is there any other way. 

We trust dll and we don't want that to be blocked

View solution in original post

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 9
‎01-25-2019 07:32 AM

Re: Getting Self protection blocked rule

Jump to solution

Correct.

View solution in original post

0 Kudos
Reply
8 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 9
‎01-25-2019 12:31 AM

Re: Getting Self protection blocked rule

Jump to solution

This is a self protection block - not an access protection block (see threat type).

Exclusions for self protection can be made via the ENS Common policy but they aren't recommended. You also only have the option to exclude processes from the self protection.

0 Kudos
Reply
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 9
‎01-25-2019 05:49 AM

Re: Getting Self protection blocked rule

Jump to solution

Hi @Former Member ,

Thanks for the update..

So there is no sense in adding an on-access scan exclsion for the path C:\WINDOWS\system32\ctiuser.dll

I have added the ctiuser.dll under self protection in ENS common policy to not get this blocking event.Is it Ok or I need to do some other changes to not get this blocking event.

I am also getting an similar event with respect to that with different event ID 34865

 

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 9
‎01-25-2019 06:14 AM

Re: Getting Self protection blocked rule

Jump to solution

No need to add an on access exclusion. Even if it was an access protection violation - you would need to add an access protetion exclusion - not an on access scan exclusion - different features, so need different exclusions 🙂

Adding the dll to your Self Protection exclusions won't help you either. As metioned only processes can be excluded from the Self Protection.

The event 34865 is an indication of a dll injection. These are mostly seen during ENS installations as a tool called "SYSPREP" is launched and will check for any third parties trying to inject themselves into our processes. If you look at your ENS Common policy under signatures, you are likely to see some certificates which were found by this tool and at which point you can choose to trust (allow) them or not.

0 Kudos
Reply
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 9
‎01-25-2019 07:25 AM

Re: Getting Self protection blocked rule

Jump to solution

Hi @Former Member, 

Thanks for the info. 

So  should we select allow to the certificate which belongs to this dll file since there is no way we can exclude dll Or is there any other way. 

We trust dll and we don't want that to be blocked

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 9
‎01-25-2019 07:32 AM

Re: Getting Self protection blocked rule

Jump to solution

Correct.

0 Kudos
Reply
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 9
‎01-27-2019 12:09 AM

Re: Getting Self protection blocked rule

Jump to solution

Hi @Former Member ,

How ENS common policy get the certificates of different vendors since we dont add them.I guess its a automatic process.

Could you please expalin a bit on that.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 8 of 9
‎01-28-2019 12:25 AM

Re: Getting Self protection blocked rule

Jump to solution

Entries found in the ENS Common policy are injectors in the environment that Endpoint Security has identified. If no measures have been taken to trust that certificate or remove the third-party software from the environment, the application might cause issues for Endpoint Security, sporadically throughout the environment.

The events 1095 / 1092 come from the SYSPREP tool which is run during the installation process. It automatically updates the McAfee Trust store for third-party injectors that McAfee recognizes and that exist on the system. It sends Event ID 1095 for these injectors and writes them to the logs. It identifies any unknown injectors, and determines if they are signed or unsigned. It sends Event 1092 for these injectors and writes them to the logs. For more info on the sysprep tool see: https://kc.mcafee.com/agent/index?page=content&id=KB89860

0 Kudos
Reply
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 9
‎01-30-2019 03:42 AM

Re: Getting Self protection blocked rule

Jump to solution

Hi @Former Member ,

I have allowed those certificates but when I run the report I still see systems having blocked event for threat event id-1092 and threat name-Core Protection - Protect core McAfee files and folders and the other event id-34865 with threat name-Self Protection - protect McAfee processes.

Any reason why we are still getting blocked events

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC