McAfee-defined Access Protection rules

Use McAfee-defined Access Protection rules to protect your computer from unwanted changes.

McAfee-defined rule Description Default setting Benefits Risks
Browsers launching files from the Downloaded Program Files folder Prevents software from installing through the web browser. Report Prevents adware and spyware from installing and running executables from the downloads folder. Might block installation of legitimate software.
Tip: Best practice: Disable this rule before installing the application or add the blocked processes to the exclusion list.
Changing any file extension registrations Protects the registry keys under HKEY_CLASSES_ROOT where file extensions are registered.

This rule is a more restrictive alternative to Hijacking .EXE and other executable extensions.

Prevents malware from changing the file extension registrations to allow malware to execute silently. Might block installation of legitimate software.
Tip: Best practice: Disable this rule when installing valid applications that change file extension registrations in the registry.
Changing user rights policies Protects registry values that contain Windows security information. Prevents worms from changing accounts that have administrator rights.
Creating new executable files in the Program Files folder Prevents the creation new executable files in the Program Files folder. Prevents adware and spyware from creating new .EXE and .DLL files and installing new executable files in the Program Files folder. Might block installation of legitimate software.
Tip: Best practice: Disable this rule before installing the application or add the blocked processes to the exclusion list.
Creating new executable files in the Windows folder Prevents the creation of files from any process, not just from over the network. Prevents the creation of .EXE and .DLL files in the Windows folder. Might block legitimate software from creating these files in the Windows folder.
Tip: Best practice: Add processes that must place files in the Windows folder to the exclusion list.
Disabling Registry Editor and Task Manager Protects Windows registry entries, preventing disabling the registry editor and Task Manager.
Tip: Best practice In an outbreak, disable this rule to be able to change the registry, or open Task Manager to stop active processes.
Doppelganging attacks on processes Prevents "Process Doppelgänging" attacks from changing processes.
  • Report
  • Block
Prevents malware from loading and executing arbitrary code in the context of legitimate or trusted processes.
Executing Mimikatz malware Prevents executables named mimikatz from running.
  • Report
  • Block
Protects against mimikatz malware by preventing it from executing.
Tip: Best practice: If you observe false positives, add the blocked processes to the exclusion list.
Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders Prevents the Windows scripting host from running VBScript and JavaScript scripts in any folder with "temp" in the folder name. Protects against many trojans and questionable web installation mechanisms used by adware and spyware applications. Might block legitimate scripts and third-party applications from being installed or run.
Tip: Best practice: If you observe false positives, add the blocked processes to the exclusion list.
Executing Windows Subsystem for Linux Prevents an administrator user from running the Windows Subsystem for Linux (WSL).
  • Report
  • Block
Prevents malware designed for Linux systems from attacking Windows computers.
Hijacking .EXE or other executable extensions Protects .EXE, .BAT, and other executable registry keys under HKEY_CLASSES_ROOT.

This rule is a less restrictive alternative to Changing any file extension registrations.

Prevents malware from changing registry keys to run the virus when another executable runs.
Installing Browser Helper Objects or Shell Extensions Prevents Browser Helper Objects from installing on the host computer.

The rule doesn't prevent installed Browser Helper Objects from working.

Prevents adware, spyware, and trojans from installing on systems. Might block legitimate applications from installing Browser Helper Objects.
Tip: Best practice: Allow legitimate custom or third-party applications to install Browser Helper Objects by adding them to the exclusion list.
Installing new CLSIDs, APPIDs, and TYPELIBs Prevents the installation or registration of new COM servers. Protects against adware and spyware programs that install themselves as a COM add-on Internet Explorer or Microsoft Office applications. Might block installation of some common applications, like Adobe Flash.
Tip: Best practice: Allow legitimate applications that register COM add-ons by adding them to the exclusion list.
Modifying core Windows processes Prevents files from being created or executed with the most commonly spoofed names.

This rule excludes authentic Windows files.

Prevents viruses and trojans from running with the name of a Windows process.
Modifying Internet Explorer settings Blocks processes from changing settings in Internet Explorer. Prevents start-page trojans, adware, and spyware from changing browser settings, such as changing the start page or installing favorites.
Modifying network settings Prevents processes that aren't listed in the exclusion list from changing a system's network settings. Protects against Layered Service Providers that transmit data, like your browsing behavior, by capturing network traffic and sending it to third-party sites. Might block legitimate processes that need to change network settings.
Tip: Best practice: Disable the rule while changes are made or add processes that must change network settings to the exclusion list.
Registering of programs to autorun Blocks adware, spyware, trojans, and viruses from trying to register themselves to load every time a system is restarted. Prevents processes that aren't on the excluded list from registering processes that execute each time a system restarts. Might block legitimate processes that need to register themselves to load at system startup.
Tip: Best practice: Disable this rule before installing the application or add the blocked processes to the exclusion list.
Remotely accessing local files or folders Prevents read and write access from remote computers to the computer.

In a typical environment, this rule is suitable for workstations, but not servers.

Prevents a share-hopping worm from spreading. Prevents updates or patches from being installed to systems managed by pushing files.

This rule doesn't affect the management functions of McAfee ePO.

Tip: Best practice Enable this rule only when computers are actively under attack.
Remotely creating autorun files Prevents other computers from making a connection and creating or changing autorun (autorun.inf) files.

Autorun files are used to automatically start program files, typically setup files from CDs.

  • Report
  • Block
Prevents spyware and adware distributed on CDs from being executed.
Remotely creating or modifying files or folders Blocks write access to all shares.

In a typical environment, this rule is suitable for workstations, but not servers, and is only useful when computers are actively under attack.

Limits the spread of infection during an outbreak by preventing write access. The rule blocks malware that would otherwise severely limit use of the computer or network. Prevents updates or patches from being installed to systems managed by pushing files.

This rule doesn't affect the management functions of McAfee ePO.

Remotely creating or modifying Portable Executable, .INI, .PIF file types, and core system locations Prevents other computers from making a connection and changing executables, such as files in the Windows folder. This rule affects only file types that viruses typically infect. Protects against fast spreading worms or viruses, which traverse a network through open or administrative shares.
Running files from common user folders Blocks any executable from running or starting from any folder with "temp" in the folder name. Protects against malware that is saved and run from the user or system temp folder. Such malware might include executable attachments in email and downloaded programs. Although this rule provides the most protection, it might block legitimate applications from being installed.
Running files from common user folders by common programs Blocks applications from installing software from the browser or from the email client. Prevents email attachments and executables from running on webpages. Might block legitimate processes that use the Temp folder during installation.
Tip: Best practice: Disable this rule before installing the application or add the blocked processes to the exclusion list.