The MA 5.x Extension includes the policy setting
Self-Protection (Windows Only) for Windows systems. Although briefly mentioned in the
McAfee Agent Product Guides, this article provides supplemental information about Self Protection.
When enabled, this setting prevents unauthorized access and changes to the MA 5.x Windows client files, folders, registry, and executables. This protection is beyond the security permissions set for MA folders and files during installation.
The new MA feature is similar to the Access Protection feature of VirusScan Enterprise (VSE). But, unlike VSE, there are no granular policy settings to allow, or only report tried access. The feature is designed to have the following two states, and only applies to Windows platforms with MA 5.x installed:
- On (block unauthorized attempts)
- Off (allow unauthorized attempts)
Currently, unauthorized access attempts aren't logged outside of a McAfee-specific log file. This means that access attempts by a non-trusted process are either of the following:
- Not currently logged to the Windows Event Viewer
- Displayed in an MA tray icon notification
Lockdown of the MA services is available starting with MA 5.0.1.
Sometimes, you may need to disable self-protection for debugging purposes. Implement with caution and be fully aware of the risks involved. Disabling self-protection compromises MA security and can make it vulnerable to attacks. If you disable self-protection, do it only for a short duration, and then re-enable it. When self-protection is disabled, MA is still protected by the file and folder permissions set through the Windows Access Control List. But, when possible, you're advised to do the following:
- Isolate the client system from potential attacks.
- Consider strengthening the firewall rules while Self-Protection is disabled.
IMPORTANT:
- You can only control self-protection through the MA policy. It can't be changed on the local system.
- Contact Trellix Support if your client isn't managed via ePO. See the "Related Information" section for details.
NOTE: This article is viewable only by registered ServicePortal users.
For more information, see
KB82740 - REGISTERED - How to temporarily disable self-protection for McAfee Agent 5.x in the McAfee Agent policy.
