25th May 2022

Adding Rules in “McAfee Access Protection” and “McAfee EDR Triggers”

We will explain how to add a rule in “McAfee Access Protection” and “McAfee EDR Triggers“, the rule for the “CVE 2022-29072” vulnerability, where you can find the vulnerability, exploitation, mitigation methods at “https://github.com/kagancapar/CVE-2022-29072“. Up to version 21.07, which is the current version of 7zip, is affected by this vulnerability. It allows for escalation and is not very complex to exploit.

It is possible to detect the exploitation of the related vulnerability, after running 7zip.exe, by writing a rule in case of child processes PowerShell, cmd or a network connection.

Write Rules in McAfee Access Protection

We will apply this rule to the policy that all machines use. On the Access Protection side, follow the steps below to take a block action when the “cmd.exe” and “powershell.exe” sub-processes run from within the “7zFM.exe” and “FzGM.exe” processes.

First, we click on the “Endpoint Security Threat Prevention -> Access Protection -> My Default ->” tab and click “Edit”. Here you should add to which policy you are using in your institution.

Access Protection
Access Protection

 

Afterwards, we click on the “Add” button since we will enter a new rule in the “Rules” section.

Access Protection Rules
Access Protection Rules

 

Here in the “Options” tab, we will add the “7zFM.exe” file with the opening in the “Executables:” section. To do this, click the “Add” button.

Options
Options

 

This page also adds the “7zFM.exe” file to the “File name or path” section. Enter the rule name in the “Name:” field. Click the “Save” button.

LEARN MORE  "TIE Server couldn't establish a connection to some ATD servers" Error and Solution
File name or path
Filename or path

 

It is seen that the “7zFM.exe” file below has been added. This is the main added process.

7zFM.exe

 

In the next step, we will enter the sub-rules in the “Subrules” section at the bottom. To do this, click the “Add” button.

Subrules
Subrules

 

On the “Subrules” page, we will enter the sub-rules. Here we need to enter two processes. These are cmd.exe and powershell.exe. To add processes, click the “Add” button below.

processes
processes

 

On the “Executable” page, we write the name of the process we want to write. We write the process in the “File name or path” section. For example **\cmd.exe process. Whichever path the “**\” sign starts with, it means to include cmd.exe.

Executable
Executable

 

Then click the “Save” button. After adding the Powershell.exe process, we click the “Save” button again.

Powershell.exe and cmd.exe
Powershell.exe and cmd.exe

 

In the end, the screen where we add both the child processes and the parent process is shown below. Finally, we click on the “Save” button again. This is the rule we added in “McAfee Access Protection”.

McAfee Access Protection rules
McAfee Access Protection rules

 

 

Write Rules in McAfee EDR Triggers

On the McAfee EDR (Endpoint Security Resource) side, we will write triggers that take the “KillProcessTree” action when the “cmd.exe” and “powershell.exe” sub-processes run from within the “7zFM.exe” and “FzGM.exe” processes. For this, follow the steps below.

First, we click on the “Active Response Catalog” tab on McAfee EPO.

LEARN MORE  Adding Online Disk to Linux Systems on VMware Workstation
Active Response Catalog
Active Response Catalog

 

Then click on the “Triggers” tab. Here we click the “New Trigger” button to add a new trigger.

New Trigger
New Trigger

 

On the “Triggers” page, we enter the rule name. In the “Trigger Configuration” section, we “Enable” as “Status“. We choose “Critical” as “Event Severity“. If you want, you can change this according to the importance of this opening.

In the “Detection” section, we select “Process” as “Type“. We choose “ProcessCreated” as “Event“. In the “Condition” section, we write the rule. The rule is as follows.

McAfee EDR Trigger rule
McAfee EDR Trigger rule

 

Here we have entered four rules in “Triggers” regarding this opening. You can see the state of these rules on the screen below.

Triggers
Triggers

 

Leave a Reply

Your email address will not be published. Required fields are marked *