---

@tzemva wrote:

Can you try and reverse the signer information in your exclusion configuration:
CN=TEAMVIEWER GMBH, O=TEAMVIEWER GMBH, L=GOEPPINGEN, S=BADEN-WUERTTEMBERG, C=DE

---

Unfortunately isn't working...

I cannot exclude the browser! And, btw, it's doing the same using Internet Explorer.

The policy is "Browsers launching files from the Downloaded Program Files folder", so the exception must be done for the "launched file"! Otherwise this policy is completely useless!!!

 12/11/2018 10:18:23.319 AM mfeesp(7240.16392) <SYSTEM> ApBl.AP.Debug: === AP received aac reaction event, Send[true] ===
PP Name : IDS_BLADE_NAME_SPB
Policy GUID : {79B2908E-E5EC-7116-28D4-C5B13FDAA57E}
Rule GUID : {D1347B9A-B157-A732-2614-56B717E46CED}
PP GUID[0] : {EA334ECD-7513-486B-A265-0C698FACBB06}
Reaction : AAC_REACTION_ALLOW [0] IDS_ACTION_WOULD_BLOCK:IDS_BLADE_NAME_GEN
Rule Description: AM::AP||IDS_AP_RULE_PREVENT_LAUNCHING_PROGRAMFILES
Group Description:
EventID : 1095
Object Type : AAC_OBJECT_FILE
Object Name : C:\USERS\CALZOLARI\DOWNLOADS\SUPPORTOLNK (1).EXE
Process Name : C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
Process Dll Path :
Process Id : 0x0000000000000948
Thread Id : 0x0000000000001da0
Target Process Id: 0x0000000000000000
Timestamp : 0x01d4913ad8d1e661, 2018-12-11T09:18:23
Authentication Id: 0x0000000000000000
Create Dispsntn : 0x00000008
NT Access Mask : 0x001000a1
Access Mask : 0x00000014 IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_EXECUTE:IDS_BLADE_NAME_GEN
Dos Key Name : HKEY: <null> Value Name:<null>
Reg Val Data : Type 0 Len[0]
USER_NAME :I: LINKING.IT\Calzolari
THREAT_CATEGORY :T: IDS_IPS_THREAT_CATEGORY_FILE:IDS_BLADE_NAME_GEN
CREATED_TIME :I: 2018-04-12 18:24:26
MODIFIED_TIME :I: 2018-04-11 09:08:00
ACCESSED_TIME :I: 2018-04-12 18:24:26
FILE_SIZE :I: 823560
VTP_TRUST :I: [1] INT8: 1
CERT_NAME :I: [180] STRING: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION
MD5_A :I: [16] HASH: 6465cb92b25a7bc1df8e01d8ac5e7596
PROCESS_SIGNED :I: true
SIGNER_TRUSTED :I: true
PROCESS_ID :I: [8] INT64: 2376
FILE_NAME :I: IEXPLORE.EXE
FILE_PATH :I: C:\PROGRAM FILES\INTERNET EXPLORER
X_REMOTE_MACHINE_ADDRESS :I: <null>
ANALYZER_ID :T: ENDP_AM_1060
ANALYZER_NAME :T: McAfee Endpoint Security
ANALYZER_VERSION :T: 10.6.1.1169
CONTENT_VERSION :T: 10.6.0
CONTENT_CREATED :T: 2015-09-22T11:11:11Z
RULE_DESCRIPTION :T: IDS_AP_RULE_PREVENT_LAUNCHING_PROGRAMFILES
ACTION_TAKEN :T: IDS_ACTION_WOULD_BLOCK:IDS_BLADE_NAME_GEN
THREAT_TYPE :T: IDS_THREAT_TYPE_VALUE_AP:IDS_BLADE_NAME_GEN
DETECTED_TIME_UTC :T: 2018-12-11T09:18:23
THREAT_HANDLED :T: true
BLADE_NAME :T: IDS_BLADE_NAME_SPB
ATTACK_VECTOR_TYPE :I: Local System
TECH_NAME :T: IDS_THREAT_TYPE_VALUE_AP:IDS_BLADE_NAME_GEN
DURATION_BEFORE_DETECTION:I: 20969637
ACCESS_MASK_TXT :T: IDS_AAC_REQ_READ:IDS_BLADE_NAME_GEN,IDS_AAC_REQ_EXECUTE:IDS_BLADE_NAME_GEN
CREATED_TIME :T: 2018-12-11 10:18:09
MODIFIED_TIME :T: 2018-12-11 10:18:06
ACCESSED_TIME :T: 2018-12-11 10:18:09
FILE_SIZE :T: 12025904
VTP_TRUST :T: [1] INT8: 0
FILE_PROPERTIES :T: [8] BITMASK: 0x0000000000000000
CERT_NAME :T: [160] STRING: C=DE, S=BADEN-WUERTTEMBERG, L=GOEPPINGEN, O=TEAMVIEWER GMBH, CN=TEAMVIEWER GMBH
MD5_A :T: [16] HASH: de54db1266e24049a58a54fa1bf1cf6d
PROCESS_SIGNED :T: true
SIGNER_TRUSTED :T: false
FILE_NAME :T: SUPPORTOLNK (1).EXE
FILE_NAME :T: SUPPORTOLNK (1).EXE
FILE_PATH :T: C:\USERS\CALZOLARI\DOWNLOADS
USER_NAME :T: SYSTEM
TARGET_HOST_NAME :T: GCALZOW10
DRIVE_TYPE :T: IDS_EXP_DT_FIXED:IDS_BLADE_NAME_GEN

Hi @giangi,

You could create an Exploit Prevention expert rule to replace stock AP rule and create an exception on target:

Here is the basic structure of AAC-based rules:

More about Expert Rules:
Endpoint Security 10.6.x Threat Prevention Product Guide (ePO managed)
Product Documentation ID: PD27574

@tzemva wrote:

You could create an Exploit Prevention expert rule to replace stock AP rule and create an exception on target:

Thanks but NO, I will not mess with them for something that the policy should do natively!

@giangi It may make more sense why the rule is functioning the way it is when you remember that Access Protection is a mechanism that monitors and blocks the actions of processes against files. Yes, it can block creation and modification of files, but that action is done by blocking the process which is attempting to take the create/write/etc action to make that happen. 

Access Protection has always functioned in a way that the acting process is what must be included/excluded, and it could be only processes, not files, that can be excluded from those rules. (It just so happens that there's a slight extra layer of confusion/coincidence here in that your target file is also technically a process.)

If you would like to suggest that behavior be made to do otherwise, then you could submit a Product Idea as chealey suggested. We definitely agree that there are instances, like yours, in which it would be useful for the mechanisms to function differently, however, in their current state, they're functioning as they've always been designed to, thus far.

The available method to meet your needs in current functionality is the Expert Rules, as suggested. If you choose that you don't want to dabble in that, then that's fine, we're just here to help and inform you of what is available. 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

---

@jess_arman wrote:

It may make more sense why the rule is functioning the way it is when you remember that Access Protection is a mechanism that monitors and blocks the actions of processes against files.

---

I agree 200% with you, but only for this specific policy it just doesn't make sense to whitelist the "source" browser instead of the "target" executed.

Yes, I did create a Suggestion...