McAfee Endpoint Security Dynamic Application Containment Rules
Dynamic Application Containment (DAC) rules in the McAfee Default policy are set to report only to reduce false positives. Adaptive Threat Protection provides two additional predefined Dynamic Application Policies: McAfee Default Balanced and McAfee Default Security. These policies set recommended rules to block, based on the security profile.
McAfee Default Balanced provides a base level of protection whileminimizing false positives for many common unsigned installers andapplications.
McAfee Default Security provides aggressive protection but might cause false positives more frequently on unsigned installers and applications.
Best practice: Evaluate the impact of the Dynamic Application Containment rules by using the McAfee Default policy with rules set to report. To determine whether to set rules to block, monitor the logs and reports. After collecting Dynamic Application Containment violation allowed (event ID 37280) events, set Enterprise Level Reputations or Dynamic Application Containment exclusions before enforcing the McAfee Default Security policy.
DAC can exclude processes from containment based on name, MD5 hash, signature data, and path. If your organization signs tools that are deployed internally, add these signatures as exclusions to reduce false positives.
DAC rules have flood control, which limits the number of events generated to once per hour, per rule, and per process. DAC flood control tracks processes by process ID (PID). When a process restarts, the operating system assigns it a new PID, which resets the flood control, even though the process name is the same. For example, if Process A violates DAC rule A 100 times per hour, you receive one event per hour. If Process A restarts during that hour, flood control resets for Process A and you receive another event if it continues to violate DAC rule A. If Process B violates the same DAC rule A, you receive a second event (with Process B details).
Best practice: Run the McAfee GetClean tool on the deployment base images for your production systems to ensure that clean files are sent to McAfee GTI to be categorized. This tool helps to ensure that McAfee GTI does not provide an incorrect reputation value for your files. For more information, see the McAfee GetClean Product Guide.
McAfee-defined containment rule / Description / McAfee Default Balanced recommended set to block / McAfee Default Security recommended set to blockAccessing insecure password LM Hashes / Protects the SAM file in %WINDIR%\system32\config. Windows stores passwords in this file. Programs generally don’t access this file.
Best practice: Set this rule to report only (default) to monitor for potentially malicious programs or unauthorized access attempts.
Accessing user cookie locations / Protects the Internet Explorer cookies folder in %AppData%\Roaming and %AppData%\Local from change.
Best practice: Set this rule to report only (default) to monitor access to Internet Explorer cookies by contained programs.
Allocating memory in another process / Prevents contained processes from changing the memory in other processes on the system. / /
Creating a thread in another process / Prevents contained processes from creating a thread in other processes on the system. / /
Creating files on any network location / Prevents contained processes from creating files on network locations. Malware can use these locations to spread the infected files.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Creating files on CD, floppy, and removable drives / Prevents contained processes from creating files on removable devices. Malware can use these devices to propagate.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Creating files with the .bat extension / Prevents contained processes from creating any file with the .bat extension.
If batch files are used for administrative purposes, setting this rule to block might produce false positives and impact business operations.
Best practice: If batch files aren’t used to administer the system, set this rule to block and report to prevent malware from creating scripts that scripting engines execute later. /
Creating files with the .exe extension / Prevents contained processes from creating any file with the .exe extension. This rule stops malware from creating executables on the system.
The typical “false blocks” that can occur with this rule might include WinZip (if users update WinZip regularly) and some installers and uninstallers. Make sure to run GetClean before enabling block. You can further tune this rule by using Dynamic Application Containment global exclusions. /
Creating files with the .html, .jpg, or .bmp extension / Prevents contained processes from creating files with the .html, .jpg, or .bmp extension. Malware sometimes hijacks these extensions to trick the user into executing the payload.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Creating files with the .job extension / Prevents contained processes from scheduling tasks on the system. Malware actively exploits scheduled tasks to avoid behavioral scanners. / /
Creating files with the .vbs extension / Prevents contained processes from creating files with the .vbs extension.
If .vbs files are used for administrative purposes, setting this rule to block might produce false positives and impact business operations.
Best practice: If .vbs files aren’t used to administer the system, set this rule to block and report to prevent malware from creating scripts that scripting engines execute later.
Creating new CLSIDs, APPIDs, and TYPELIBs / Prevents contained processes from creating Class IDs, App IDs, or TypeLIBs. These registry locations can be used to register new file types and allow malware an entry point on the system.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Deleting files commonly targeted by ransomware-class malware / Prevents contained processes from deleting files that ransomware-class malware commonly targets. Ransomware sometimes tries to read the files into memory and then write the file contents to a new file, encrypting it, and then deleting the original.
Ransomware-class malware does not typically try to directly change the files it is targeting for encryption. Instead, it uses a process already on the system, such as explorer.exe or powershell.exe, to proxy the attack. If enough attempts are blocked, the malware might fall back to trying to encrypt the file directly. / /
Disabling critical operating system executables / Prevents contained processes from disabling regedit or task manager and thus restricting administrator access to these tools. / /
Executing any child process / Prevents contained processes from executing any child process on the system.
Best practice: Run GetClean before setting this rule to block. /
Modifying appinit DLL registry entries / Prevents contained processes from adding entries to the appinit registry location.
User-mode processes on the system can load any entry in the appinit registry location. For this reason, malware can use these processes as an attack vector to insert its payload. / /
Modifying application compatibility shims / Prevents contained processes from creating application compatibility shims. Malware can use this technique to gain the same rights of the target process and inject shellcode. / /
Modifying critical Windows files and registry locations / Prevents contained processes from changing critical files and registry locations such as the hosts file, WINLOGON registry location, session manager registry location, and others.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying desktop background settings / Prevents contained processes from changing the settings for the desktop wallpaper or background. Malware can use this technique to trick the user, hide files, or make the user think they are clicking something else.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying file extension associations / Prevents contained processes hijacking file extension associations. Malware can use this technique to trick the user into executing unknown file types or using unknown programs to execute files. /
Modifying files with the .bat extension / Prevents contained processes from changing files with the .bat extension. Use this rule to help stop malware from infecting script files on the operating system.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying files with the .vbs extension / Prevents contained processes from changing files with the .vbs extension. Use this rule to help stop malware from infecting script files on the operating system.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying Image File Execution Options registry entries / Prevents contained processes from changing Image File Execution Options in the registry. Malware can use this technique to hijack process execution and stop processes from executing altogether. / /
Modifying portable executable files / Prevents contained processes from changing any portable executable file on the system. Portable executables are files that Windows can execute natively, such as .exe, .dll, and .sys. /
Modifying screen saver settings / Prevents contained processes from changing screensaver settings. Malware can use this technique to drop malicious payloads onto the system. / /
Modifying startup registry locations / Prevents contained processes from creating or changing the windows registry startup locations. Malware frequently hides payloads or proxies to payloads in the Windows registry startup locations. / /
Modifying automatic debugger / Prevents contained processes from changing or adding the automatic debugger, which malware can use to hijack process execution and steal sensitive information.
Modifying the hidden attribute bit / Prevents contained processes from changing the hidden bit in files on the system. / /
Modifying the read-only attribute bit / Prevents contained processes from changing the read-only bit in files on the system. / /
Modifying the Services registry location / Prevents contained processes from changing service behavior on the system. /
Modifying the Windows Firewall policy / Prevents contained processes from changing the Firewall policies stored in the registry. Malware can use the Windows Firewall to open security holes on the system.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying the Windows Tasks folder / Prevents contained processes from creating or changing tasks stored in the Tasks folders. Malware can use tasks to place its payload on the system.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying user policies / Prevents contained processes from changing group policy settings directly. Malware can use this technique to change the security posture and open vulnerabilities in the system. /
Modifying users’ data folders / Prevents contained processes from changing or executing files in the user’s common data folders. Common data folders include the Desktop, Downloads, Documents, Pictures, and other locations in the AppData folder, which malware targets in ransomware attacks.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
This rule can result in false positives depending on whether the contained program is truly malicious or not.
Reading files commonly targeted by ransomware-class malware / Prevents contained processes from reading files that ransomware-class malware commonly targets. Ransomware sometimes tries to read the files into memory, write the file contents to a new file, encrypting it, and then deleting the original.
Ransomware-class malware does not typically try to directly change the files it is targeting for encryption. Instead, it uses a process already on the system, such as explorer.exe or powershell.exe, to proxy the attack. If enough attempts are blocked, the malware might fall back to trying to encrypt the file directly. /
Reading from another process’ memory / Prevents contained processes from reading the memory from another process on the system. This rule can help thwart attempts to steal information contained in targeted processes. /
Reading or modifying files on any network location / Prevents contained processes from reading or changing files on network locations. Malware can use these locations to spread infected files.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Reading or modifying files on CD, floppy, and removable drives / Prevents contained processes from reading or changing the contents of removable devices. Malware can use these devices to propagate.
Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Suspending a process / Prevents contained processes from suspending other processes on the system. Some malware tries to suspend a process to hijack it or hollow it out for malicious purposes, also known as process hollowing. / /
Terminating another process / Prevents contained processes from stopping processes on the system. / /
Writing to another process’ memory / Prevents contained processes from writing to the memory space of another process on the system. / /
Writing to files commonly targeted by ransomware-class malware / Prevents contained processes from changing files that ransomware-class malware commonly targets.
Ransomware-class malware does not typically try to directly change the files it is targeting for encryption. Instead, it uses a process already on the system, such as explorer.exe or powershell.exe, to proxy the attack. If enough attempts are blocked, the malware might fall back to trying to encrypt the file directly. /