Overview of Expert Rules

Expert Rules are text-based custom rules that you create in the Exploit Prevention policy in Threat Prevention.

Expert Rules provide additional parameters and allow much more flexibility than the custom rules you create in the Access Protection policy. But, to create Expert Rules, you must understand the McAfee proprietary syntaxes.

McAfee Endpoint Security includes two McAfee technologies and rule engines for Expert Rules: Arbitrary Access Control (AAC) and legacy McAfee Host IPS Core.

Each Expert Rule supports only one rule engine type. You can't mix different rule engine types in the same rule. For example, you can't combine a McAfee Host IPS-based rule, such as an Illegal API Use rule, with an AAC-based rule, such as a Files rule. Endpoint Security doesn't support signatures with multiple rules.

Tip: Best practice: Before writing Expert Rules, we recommend that you familiarize yourself with the Tcl programming language.

AAC-based Expert Rules

AAC is a McAfee proprietary technology that Threat Prevention uses to protect key resources. You can extend this protection by creating rules to protect specific files, processes, and registry items. AAC-based Expert Rules use a new syntax used with the Tool Command Language (Tcl) interpreter version 7.6.

  • Files — Protects files.
  • Processes — Protects processes.
  • Registry — Protects registry keys and registry values.

You can also create custom Files, Processes, and Registry rules in the Access Protection policy in Threat Prevention. But, these rules don't provide the complete functionality available with Expert Rules.

Legacy McAfee Host IPS-based Expert Rules

These Expert Rules follow the same syntax as rules created using the Expert method in McAfee Host IPS. Endpoint Security supports the following legacy class types:

  • Buffer Overflow — Prevents buffer overflow exploits for applications in the Application Protection list.
  • Illegal API Use — Prevents illegal use of the Exploit Prevention API. The Expert Rules can only extend the functionality of the Illegal API Use signatures provided by Exploit Prevention content. Expert Rules can't refer to APIs that aren't already covered in an Illegal API Use signature available in content.
  • Services — Protects Windows Services (Windows versions 8.0 and earlier only).

    You can also create custom Services rules in the Access Protection policy in Threat Prevention. But, these rules don't provide the complete functionality available with Expert Rules.