cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Reliable Contributor vnaidu
Reliable Contributor
Report Inappropriate Content
Message 1 of 9

Threat Prevention Access Protection and Exploit Prevention .

Jump to solution

Dear All,

I need your quick help for the following.

We have an IPS rule for Denying Windows XP logon which is as follows.

The Signature id is 4001 with the following registries to be blocked

\Registry\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

 \Registry\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

 \Registry\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileGuid.

However, when we migrate the IPS rules and Access Protection, the above rule is missing or I could not find it either in Access Protection user defined rules nor Exploit Prevention. I would like your immediate help to get this remediated.

Venu
1 Solution

Accepted Solutions
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution

Hello vnaidu.  Signature 4001 appears to be a custom Host IPS 8.0 IPS signatures (e.g., not a McAfee-created signature).  If it's causing issues, then the creator of the signature should resolve the issue, or disable the signature.

Regarding IPS Rules migration, not all IPS signatures will migrate.  Please see the ENS Migration guide regarding this.  If the signatures is not migrated, it will need to be recreated in ENS Access Protection or Exploit Prevention Expert Rules (if applicable).

https://kc.mcafee.com/corporate/index?page=content&id=PD26801

Page 55, section "IPS Rules migration"

8 Replies
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution

Hello vnaidu.  Signature 4001 appears to be a custom Host IPS 8.0 IPS signatures (e.g., not a McAfee-created signature).  If it's causing issues, then the creator of the signature should resolve the issue, or disable the signature.

Regarding IPS Rules migration, not all IPS signatures will migrate.  Please see the ENS Migration guide regarding this.  If the signatures is not migrated, it will need to be recreated in ENS Access Protection or Exploit Prevention Expert Rules (if applicable).

https://kc.mcafee.com/corporate/index?page=content&id=PD26801

Page 55, section "IPS Rules migration"

Reliable Contributor vnaidu
Reliable Contributor
Report Inappropriate Content
Message 3 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution

@ktankink

Thank you for the quick reply, after posting this question yesterday;  I was testing randomly on my test environment to notice that all the custom rules are not getting migrated. So I had to create a few manually in the Access Protection as you have mentioned in the reply.

Many thanks @ktankink

Cheers !!! 🙂

Venu
Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution
"environment to notice that all the custom rules are not getting migrated."
Thats NOT nice THAT they don't migrated the CUSTOM RULES. I would have asumed that they get migrated. Is there any plan that this will be changed. If a customer makes an EXTRA effort to do such a thing (On his side) he at least could expect that it gets migrated if the syntax is valid and correct.

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution

The migration document states exactly what we expect to be migrated and what not:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27567/en_US/...

see page 39 for custom IPS rules.

If there is a custom rule which meets this criteria and hasn't been migrated, then this should be addressed and investigated with support.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution

Yes thats valid for a migration from IPS 2 ENS.....

He (The customer) talks about MIGRATION from ENS to ENS?
Or does he talk Migration from HIPS 8.X to ENS 10.6.X?

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution
  • The original question was in regards to Signature 4001.  HIPS custom IPS signatures are numbered Signature 4001-5999. 
  • ENS Exploit Prevention Expert Rules are numbered Signature ID 20000+. 
  • ENS Access Protection rules don't use Signature ID numbers.

The original question was in regards to migrating HIPS IPS signatures to ENS Threat Prevention (Access Protection) rules.

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution

Hello @ktankink 

"ENS Access Protection rules don't use Signature ID numbers."?

 "ENS Does not use ID IPS numbers in Exploit Prevention?"

https://kc.mcafee.com/corporate/index?page=content&id=SNS1386

April 2018 Content Release - HIP 8.0.0/ENS Content build 8.0.0. 8330 Now Available

See that the rules come in the same time for HIPS and ENS?

Lets say it. No wonder customers wait to migrate VSE 8.8 to ENS 10.6 with all the confusion.

No wonder mcafee managments top prioraity seems pushing marketing information and material out on how to migrate to ENS and releasing a lot of tools.

 

2019-01-24 09-49-33_local - visionapp Remote Desktop 2009.jpg

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: Threat Prevention Access Protection and Exploit Prevention .

Jump to solution

Hi @SWISS,

The comment was that ENS Access Protection rules don't use ID numbers, as per the ENS Access Protection policy view (below). 

ens_ap_rules.jpg

 

The screenshot you provided is for ENS Exploit Prevention signatures (which do use ID numbers; as you see with HIPS IPS Signatures).  Both HIPS IPS and ENS Exploit Prevention signatures are updated with the monthly Content release (as you explained).  Migration of HIPS IPS custom signatures will migrate into the ENS Threat Prevention (Access Protection) policies as described in the ENS Migration guide (online documentation link)

IPS custom signatures with IDs in the 4001–6000 range migrate to Access Protection custom rules.

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community