Application protection rules and how they work

Application protection rules define the executables that are monitored for Exploit Prevention signatures. If an executable isn't included in the list, it isn't monitored.

Exploit Prevention signatures include two classes:

  • Buffer Overflow signatures provide memory protection by monitoring the memory space that the processes use.
  • API signatures monitor API calls between the processes running in user mode and the kernel.

The Exploit Prevention content provided by McAfee includes a list of applications that are protected. Threat Prevention displays these applications in the Application Protection Rules section of the Exploit Prevention settings.

To keep protection current, updates to Exploit Prevention content replace the McAfee-defined application protection rules in the Exploit Prevention settings with the latest application protection rules.

You can enable, disable, delete, and change the inclusion status of McAfee-defined application protection rules. In addition, you can create and duplicate your own application protection rules. Any changes you make to these rules persist through content updates.

If the list includes conflicting application protection rules, rules with the Inclusion Status of Exclude take precedence over Include.

Note: Endpoint Security Client displays the complete list of protected applications, not just the applications currently running on the client system. This behavior is different from McAfee Host IPS.

For managed systems, application protection rules created in the Endpoint Security Client are not sent to McAfee ePO and might be overwritten when the administrator deploys an updated policy.