cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 11
‎06-06-2012 01:21 PM

Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

All -

Has anyone figured out a way to add programs to the VSE Unwanted Programs Policy that have filenames that are constantly changin?

For example, my company has decided to block the Dropbox desktop application. The executable for this app is constantly changing as the version is updated, so

"dropbox 1.1.1.exe" when updated becomes "dropbox 1.1.2.exe".

How can I combat agianst this without tracking down the version numbers and executables of every piece of software in the Unwanted Programs Policy?

0 Kudos
Reply
1 Solution

Accepted Solutions
Dvanmeter
Level 10
Report Inappropriate Content
Message 10 of 11
‎06-26-2012 02:40 PM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Yes, you are on the right track.  I would leave the delete option unchecked so it can be removed,  but for the exe If what you have doesnt work you can try dropbox*.exe.  Not sure if that will do the trick.  This is much more effective and for those who already got around installing it you can block the current installations from functioning with rules like **\dropbox\** to block a folder anywhere on the system or C:\dropbox\*   As mentioned in the previous post use the link that they provided for how to use the wildcard features.

Message was edited by: Dvanmeter on 6/26/12 4:41:13 PM CDT

View solution in original post

0 Kudos
Reply
10 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 11
‎06-13-2012 07:38 AM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

You might want to take a look at McAfee Application control (formerly SolidCore), it has more powerful blocking features.

Matt

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 11
‎06-13-2012 08:45 AM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Try wildcards?  For example: dropbox*.exe or dropbox?.?.?.exe

The way McAfee uses wildcards is a bit different.  Read how here:

https://kc.mcafee.com/corporate/index?page=content&id=KB54812

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 11
‎06-13-2012 08:56 AM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Thank you both for the responses.

@Robpow - Solidcore would make things a lot easier on that front. I have deployed Solidcore for a small subset of systems at my company that hold data of a very sensitive nature, but have not deployed it enterprise wide.

@Kenobe - Thank you for this helpful link, the use of the wildcard is what I have been looking for.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 11
‎06-15-2012 01:29 PM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Did this work for you?  I am not able to use wildcards when specifying files names through the Unwanted Programs Policy.  I get a "ii" when I enter dropbox*.exe and the box is grayed out and I can't save.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 11
‎06-18-2012 03:01 AM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

No, didn't think you could have wildcards in the Unwanted Programs Policy (or any On-Access Scanner) process name fields. Think only the exclude by target file/folder options take wild cards.

Matt

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 7 of 11
‎06-18-2012 07:53 AM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

You guys are correct, the wildcards did not work for my case.

0 Kudos
Reply
Dvanmeter
Level 10
Report Inappropriate Content
Message 8 of 11
‎06-26-2012 09:23 AM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

What you want to do is use the access protection features in Mcafee AV instead of the unwanted programs feature.  Access protection rules can use a wide range of wildcard options.  If your not familiar with using access protection rules, it basically denies access of the file name from be written, read, created, modified deleted.  You choose the permission level.  The former comment is right about solidcore or even Mcafee HIPS,  you can basically be even more restrictive on access by using a file hash instead of name, but for what you are decribing you want to do it is very simple to do with access protection rules in the AV product.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 9 of 11
‎06-26-2012 10:01 AM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Thanks Dvanmeter, I had not considered using either of those options.

I do have HIPS deployed (IPS mode only at this time), but I was not aware that I could use Access Protection rules for this function.

I coud just add a new File/Folder Blocking Rule under the user-defined Rules, correct? So I could do something to this effect:

Rule name:

Block Dropbox

Processes to include:

* (I am assuming this is OK to leave)

Processes to exclude:

(leave blank)

File or folder name to block:

dropbox?.*

File actions to prevent:

Read

Write

Execute

Create

Delete (I guess I could leave this unchecked?)

HIPS I am not as familiar with yet, but I will investigate both options.

0 Kudos
Reply
Dvanmeter
Level 10
Report Inappropriate Content
Message 10 of 11
‎06-26-2012 02:40 PM

Re: Unwanted Programs Policy: How to Handle Changing Filenames?

Jump to solution

Yes, you are on the right track.  I would leave the delete option unchecked so it can be removed,  but for the exe If what you have doesnt work you can try dropbox*.exe.  Not sure if that will do the trick.  This is much more effective and for those who already got around installing it you can block the current installations from functioning with rules like **\dropbox\** to block a folder anywhere on the system or C:\dropbox\*   As mentioned in the previous post use the link that they provided for how to use the wildcard features.

Message was edited by: Dvanmeter on 6/26/12 4:41:13 PM CDT
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC