Level 10
Hi everyone,

This is a short guide on how to configure McAfee Endpoint Security for maximum security.

Threat Prevention is a standard definitions, cloud-based and policy-based antivirus.
Access Protection is part of this module, containing rules of what actions can't be performed on your system.

Block: Altering user rights policies
Block: Executing scripts by Windows Script Host (wscript.exe and cscript.exe)
Block: Modifying core Windows Processes
Report: Remotely creating or modifying files or folders
Make sure the following options have been selected

Then make sure all medium risk rules are enabled. To do that, navigate to the Exploit Prevention rules and type Java in the search engine first.

Make sure you enable all4 rules.
Next, type script


Make sure you select "block" for all these rules.
Next type powershell


make sure you select "block" for all these rules.
Next type fileless

make sure you select "block" for all these rules

Increase GTI sensitivity to High and disable AMSI observe mode.
Firewall filters traffic based on pre-defined rules and it checks the reputation of IP addresses connecting to your device.

Enable Treat McAfee GTI match as intrusion
Enable Block Threshold and set to High Risk (recommended) or Medium Risk if you need more security.
Web Control forbids your browser and apps to connecting to untrusted websites.

"Apply this action to sites not yet verified" - select warn.
For maximum security you can even choose block (not recommended)
Adaptive Threat Prevention provides protection when all other layers have failed.
It's divided in 2 categories:

Under Enhanced Script scanning, disable the observe mode.
Increase sensitivity level to High.
Under Enable enhanced remediation enable Monitor and remediate deleted and changed files. This will greatly improve ransomware protection.
Under "Trigger Dynamic Application Containment when reputation threshold reaches:"
Instead of Might be malicious, select Unknown.
When Real Protect Static and Real Protect Cloud can't come up with a verdict on a file and it still needs to be executed, it's good to be able to limit the harm it could do, should it turn out to be malicious.
That's exactly what DAC does.

Enable Send files not yet verified to McAfee Advanced Threat Defence for analysis.

Next under rules, select "block" for the following rules:
Accessing insecure password LM hashes
Accessing user cookie locations
Allocating memory in another process
Creating files on any network locations
Creating files on CD, floppy and removable drives
Deleting files commonly targeted by ransomware-calls malware
Modifying critical Windows files and registry locations
Modifying desktop background settings
Modifying file extension association
Modifying File Execution Options registry entries
Modifying startup registry locations
Modifying the hidden attribute bit
Reading files commonly targeted by ransomware-class malware
Reading from another process memory
Writing to another process memory#
Writing to files commonly targeted by ransomware-class malware
Copying files commonly targeted by ransomware-class malware
Renaming files commonly targeted by ransomware-class malware
Last edited: