No options are available from the command line to disable the default Access Protection rules for ENSLTP. Currently, the only way to disable the rules is from the ePolicy Orchestrator policy, or by following these steps.
To disable the default Access Protection rules manually for ENSLTP:
- Determine the Access Protection rule index:
/opt/isec/ens/threatprevention/bin/isecav –getallaprules
The following output displays:
----------------------------------------------------------------------------------------------------------------------------------------------
|Index Rule Name Block Status Report Status Origin |
----------------------------------------------------------------------------------------------------------------------------------------------
|1 IDS_AP_RULE_PREVENT_CREATE_DELETE_RENAME_HARDLINK_STARTUPFILES_LINUX Disabled Enabled McAfee-defined |
|2 IDS_AP_RULE_PREVENT_MODIFICATION_PASSWORDFILES_LINUX Disabled Disabled McAfee-defined |
|3 IDS_AP_RULE_PREVENT_PERMISSION_OWNERSHIP_STARTUPFILES_LINUX Disabled Enabled McAfee-defined |
|4 IDS_AP_RULE_PREVENT_READ_WRITE_DELETE_RENAME_HARDLINK_PERMISSION. Disabled Enabled McAfee-defined |
|5 IDS_AP_RULE_PREVENT_CREATION_LINK_SYSTEMFILES_LINUX Disabled Disabled McAfee-defined |
|6 IDS_AP_RULE_PREVENT_WRITE_STARTUPFILES_LINUX Disabled Disabled McAfee-defined |
|7 IDS_AP_RULE_PREVENT_WRITE_DELETE_RENAME_HARDLINK_PERMISSION_ Disabled Disabled McAfee-defined |
- Run the following command for each Access Protection rule to disable it:
/opt/isec/ens/threatprevention/bin/isecav --editaprule <rule index> --block disable --report disable
For example, if you want to disable the rule with index 1:
/opt/isec/ens/threatprevention/bin/isecav --editaprule 1 --block disable --report disable
- Verify that the Access Protection rules are disabled:
/opt/isec/ens/threatprevention/bin/isecav –getallaprules
The following output displays:
----------------------------------------------------------------------------------------------------------------------------------------------
|Index Rule Name Block Status Report Status Origin |
----------------------------------------------------------------------------------------------------------------------------------------------
|1 IDS_AP_RULE_PREVENT_CREATE_DELETE_RENAME_HARDLINK_STARTUPFILES_LINUX Disabled Disabled McAfee-defined |
|2 IDS_AP_RULE_PREVENT_MODIFICATION_PASSWORDFILES_LINUX Disabled Disabled McAfee-defined |
|3 IDS_AP_RULE_PREVENT_PERMISSION_OWNERSHIP_STARTUPFILES_LINUX Disabled Enabled McAfee-defined |
|4 IDS_AP_RULE_PREVENT_READ_WRITE_DELETE_RENAME_HARDLINK_PERMISSION. Disabled Enabled McAfee-defined |
|5 IDS_AP_RULE_PREVENT_CREATION_LINK_SYSTEMFILES_LINUX Disabled Disabled McAfee-defined |
|6 IDS_AP_RULE_PREVENT_WRITE_STARTUPFILES_LINUX Disabled Disabled McAfee-defined |
|7 IDS_AP_RULE_PREVENT_WRITE_DELETE_RENAME_HARDLINK_PERMISSION_ Disabled Disabled McAfee-defined |