https://quicksolvo939231001.blogspot.com/2020/06/how-to-schedule-norton-security-scan.html

How To Use McAfee ATP to Protect Against Emotet, LemonDuck, and PowerMiner?

Introduction

This blog describes how to use the rules of McAfee ATP (Adaptive Threat Protection) within the McAfee Endpoint Security products. It will help you understand how ATP rules work and how you can use them to prevent infections from families of prevalent malware, such as Emotet, LemonDuck, and PowerMiner. For the successful use of rules in your setting, please read through the Recommendation section.

ATP rules are a form of technology for Attack Surface Reduction that detects the suspicious use of OS features and applications. Those rules target behaviors that malware authors often abuse. There may be situations where legitimate programs use the same behavior, and so guidelines need to be set up depending on the context.

ATP rules within the McAfee Endpoint Security (ENS) 10.5.3 and above have detected more than one million pieces of malware since the beginning of 2020. This blog will show you how to allow ATP rules and explains why they should be allowed by highlighting some of the malware we find with them. We will also teach you how to optimize the capabilities of detection by adjusting some different settings.

Let's start with an overview, first. We release three types of ATP rules: Evaluate, DefaultOn, and HighOn.

McAfee is testing evaluation rules in the field to determine whether they are robust enough to detect malicious activity while not producing false positives. Once a rule has been in an evaluated mode for a period of time, researchers at McAfee will analyze its performance and either make changes or promote it to DefaultOn or HighOn. ENS ATP customers connected to the McAfee ePolicy Orchestrator (ePO) may manually change to Enabled mode Evaluate rules.

default rules are created when McAfee has high confidence that it does not affect any valid applications. Then, these rules are enabled in all McAfee Endpoint Security rule groups by default.

high rules detect behavior known to be malicious but may overlap with non-malicious apps. Such rules are set to Observe machine mode in the "Balanced" rule group, but act as DefaultOn in the "Safety" rule group for the systems. Later in this blog, we cover how the Endpoint Security Products rule group can be changed to allow for HighOn rules.

How to allow ENS 10.5.3 and above to ATP rules 

1. A lot of the ATP rules are set to Observe mode by default. Login to the ePO Console and go to Menu->Configuration->Server Settings to allow certain rules in an active-blocking mode.

2. Choose Adaptive Threat Protection and pick the group of rules necessary (Productivity, Balanced, or Security).

Note: As previously mentioned, we analyze rules from time to time and make changes so that you may have different settings in your environment, depending on the version of the content.

3. Click Edit below the rules and select the rule you want to change to enable a rule, then select the desired state-Disabled, Enabled, or Observe. 

4. Click Save, and in a few minutes, the rule should be enabled on the clients. You can see here the Rule 256 blocks default malicious JTI / Suspect.131328 script.