McMcbrad

Level 10
Hi everyone,

This is a short guide on how to configure McAfee Endpoint Security for maximum security.
1603038027152.png


Threat Prevention is a standard definitions, cloud-based and policy-based antivirus.
Access Protection is part of this module, containing rules of what actions can't be performed on your system.
1603038226298.png

Block: Altering user rights policies
Block: Executing scripts by Windows Script Host (wscript.exe and cscript.exe)
Block: Modifying core Windows Processes
Report: Remotely creating or modifying files or folders
Make sure the following options have been selected
1603038715932.png

Then make sure all medium risk rules are enabled. To do that, navigate to the Exploit Prevention rules and type Java in the search engine first.
1603038859694.png

Make sure you enable all4 rules.
Next, type script
1603039044445.png

1603039096890.png

Make sure you select "block" for all these rules.
Next type powershell
1603039265391.png

1603039296264.png

make sure you select "block" for all these rules.
Next type fileless
1603039430100.png

make sure you select "block" for all these rules
1603039544716.png


Increase GTI sensitivity to High and disable AMSI observe mode.
Firewall filters traffic based on pre-defined rules and it checks the reputation of IP addresses connecting to your device.
1603039797125.png

Enable Treat McAfee GTI match as intrusion
Enable Block Threshold and set to High Risk (recommended) or Medium Risk if you need more security.
Web Control forbids your browser and apps to connecting to untrusted websites.
1603040057698.png

"Apply this action to sites not yet verified" - select warn.
For maximum security you can even choose block (not recommended)
Adaptive Threat Prevention provides protection when all other layers have failed.
It's divided in 2 categories:
1603040303276.png


Under Enhanced Script scanning, disable the observe mode.
Increase sensitivity level to High.
Under Enable enhanced remediation enable Monitor and remediate deleted and changed files. This will greatly improve ransomware protection.
Under "Trigger Dynamic Application Containment when reputation threshold reaches:"
Instead of Might be malicious, select Unknown.
When Real Protect Static and Real Protect Cloud can't come up with a verdict on a file and it still needs to be executed, it's good to be able to limit the harm it could do, should it turn out to be malicious.
That's exactly what DAC does.
1603040657217.png

Enable Send files not yet verified to McAfee Advanced Threat Defence for analysis.
1603040823951.png

Next under rules, select "block" for the following rules:
Accessing insecure password LM hashes
Accessing user cookie locations
Allocating memory in another process
Creating files on any network locations
Creating files on CD, floppy and removable drives
Deleting files commonly targeted by ransomware-calls malware
Modifying critical Windows files and registry locations
Modifying desktop background settings
Modifying file extension association
Modifying File Execution Options registry entries
Modifying startup registry locations
Modifying the hidden attribute bit
Reading files commonly targeted by ransomware-class malware
Reading from another process memory
Writing to another process memory#
Writing to files commonly targeted by ransomware-class malware
Copying files commonly targeted by ransomware-class malware
Renaming files commonly targeted by ransomware-class malware
 
Last edited: