Threat PreventionExploit Prevention

Enable and configure Exploit Prevention to prevent buffer overflow, illegal API use, and network exploits. Create Expert Rules to prevent buffer overflow and illegal API use exploits and to protect files, registry keys, registry values, processes, and services.

For the list of processes protected by Exploit Prevention, see KB58007.

Note: Host Intrusion Prevention 8.0 can be installed on the same system as Endpoint Security version 10.6. If the Host IPS or Network IPS options in McAfee Host IPS are enabled, Exploit Prevention and Network Intrusion Prevention are disabled even if enabled in the Threat Prevention settings.
Options
Section Option Definition
EXPLOIT PREVENTION Enable Exploit Prevention Enables the Exploit Prevention feature.
Caution: Failure to enable this option leaves your system unprotected from malware attacks.
Advanced options
Section Option Definition
Generic Privilege Escalation Prevention (GPEP) Enable Generic Privilege Escalation Prevention Enables Generic Privilege Escalation Prevention (GPEP) support. (Disabled by default)

GPEP uses Signature ID 6052 in the Exploit Prevention Content to provide coverage for privilege escalation exploits in kernel mode and user mode.

Because GPEP might generate false positive reports, this option is disabled by default.

Windows Data Execution Prevention (DEP) Enable Windows Data Execution Prevention Enables Windows Data Execution Prevention (DEP) integration. (Disabled by default)

Select this option to:

  • Enable DEP for 32-bit applications in the McAfee application protection list, if not already enabled, and use it instead of Generic Buffer Overflow Protection (GBOP).

    Caller validation and Targeted API Monitoring are still enforced.

  • Monitor for DEP detections in the DEP-enabled 32-bit applications.
  • Monitor for DEP detections in 64-bit applications in the McAfee application protection list.
  • Log any DEP detections.

Disabling this option doesn't affect any processes that have DEP enabled as a result of the Windows DEP policy.

Because DEP might generate false positive reports, this option is disabled by default.

Exclusions with Caller Module or API don't apply to DEP.

Network Intrusion Prevention Enable Network Intrusion Prevention Enables Network Intrusion Prevention (Network IPS) and enforces network IPS signatures.

Selecting this option exposes Network IPS signatures in the Signatures list.

Automatically block network intruders Blocks intruder hosts for a specified number of seconds.

Select this option to block all attempted actions from intruder hosts, even if the action for the Network IPS signature isn't set to Block.

  • Number of seconds (1-9999) to block — Specifies the number of seconds to automatically block intruders.

Blocked Hosts Lists systems that Network IPS is blocking communication from. When Automatically block network intruders is selected, Network IPS automatically blocks systems when it detects an attack.
  • Delete — Deletes the selected system from the Blocked Hosts table. When you click Apply, the system is unblocked.
  • Host — Lists the IP address of the blocked system.
  • Time Remaining (seconds) — Indicates the number of seconds until Network IPS no longer blocks the system.
  • Status — Indicates whether the system is blocked or unblocked.
Exclusions Specifies the process, caller module, API, signatures, or services to exclude.

Exclusions with Caller Module or API don't apply to DEP.

Add Creates an exclusion and adds it to the list.
Delete Deletes the selected item.
Double-click an item Changes the selected item.
Duplicate Creates a copy of the selected item.
Signatures Changes the action for Exploit Prevention signatures.

To disable a signature, deselect Block and Report.

By default, only high-severity signatures are set to Block.

The Notes column in the Signatures list refers to KB51504 for details about supported platforms. To view this article, you must first log on to the ServicePortal, then search the Knowledge Center for KB51504.

Filter options Filters the Signatures list by:
Type
  • Buffer Overflow
  • Illegal API Use
  • Files
  • Services
  • Registry
  • Processes
  • Network IPS
Severity
  • High
  • Medium
  • Low
  • Others (signatures with a severity of Informational or Disabled)
Status
  • Enabled
  • Disabled
Origin
  • McAfee-defined
  • User-defined
Quick find Filters the list by specifying a term to search for.
  • Apply — Starts the search.
  • Clear — Deletes text from the Quick find field.
Block (only) Blocks behavior that matches the signature without logging.
Report (only) Logs behavior that matches the signature without blocking.
Block and Report Blocks and logs behavior that matches the signature.
Add Expert Rule Creates an Expert Rule to:
  • Protect files, registry keys and values, processes, or services.
  • Prevent buffer overflow or illegal API use exploits.

You can't create Network IPS Expert Rules.

To check for syntax errors, select a user-defined Expert Rule and click Add Expert Rule. Expert Rule Checker opens so you can change, check, and enforce the Expert Rule.

Delete Deletes the selected item.
Double-click an item Changes the selected item. (User-defined rules only)
Application Protection Rules Specifies the applications that Exploit Prevention monitors.

Exploit Prevention only monitors the processes in the application protection list with the inclusion status of Include.

Add Creates an application protection rule and adds it to the list.
Delete Deletes the selected item. (User-defined rules only)
Double-click an item Changes the selected item. (User-defined rules only)
Duplicate Creates a copy of the selected item. (User-defined rules only)