How application protection rules work

Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and illegal API use violations. Only processes in the Application Protection Rules list with the inclusion status of Include are monitored.

When a monitored process starts, Exploit Prevention injects its DLLs into the process to monitor it for buffer overflow and illegal API use violations.

The Exploit Prevention content provided by McAfee includes a list of applications that are protected. Threat Prevention displays these applications in the Application Protection Rules section of the Exploit Prevention settings page. To keep protection current, updates to Exploit Prevention content replace the McAfee-defined application protection rules in the Exploit Prevention settings with the latest application protection rules.

You can enable, disable, and change the inclusion status and executables of McAfee-defined application protection rules, but you can't delete them. You can also create and duplicate your own application protection rules. Any changes you make to these rules persist through content updates.

If the inclusion status of the application protection rule is:

  • Include — Exploit Prevention injects its DLLs and monitors the process for violations.

    Protected applications include Microsoft applications such as PowerPoint, Outlook, Excel, web browsers, and known vulnerable processes such as svchost.exe and services.

  • Exclude — Exploit Prevention doesn't inject its DLLs and doesn't monitor the process for violations.
    Note: Setting the inclusion status to Exclude has the same effect as adding an exclusion in the Exclusions section and specifying only the process information.

    Typically, processes such as slsvc.exe and mcshield.exe, are excluded due to known compatibility or redundancy issues.

If the list includes conflicting application protection rules, Exclude status rules take precedence over Include.

Note: Endpoint Security Client displays the complete list of protected applications, not just the applications currently running on the client system.

Application protection rules created in the Endpoint Security Client are not sent to McAfee ePO and might be overwritten when the administrator deploys an updated policy.