After the recent HIPS content update, we are seeing a large amount of false positive events generating from the 6015 signature. It seems that most of the threat source process names are pertaining to Citrix processes. Just wanted to see if anyone else was seeing the same after the signature was modified again.
I'm also having a tough time with this signature since the last content update. It seems that every time there's a content update we have problems with this signature blocking new things. I'm on the verge of disabling it permanently. Can someone from McAfee explain the value of this signature for us?
I've read over the KB provided, and yes, it does describe the signature, so thank you for posting that. However, upon looking at it, the KB also links to another article (KB60989) about the HIPS 7 incompatibility with Citrix Edgesight due to signature 432. McAfee recommends disabling 432 on these servers.
Since we're getting issues with 6015 (which is a replacement for 432) on Citrix servers, is it McAfee's recommendation to disable 6015 on Citrix servers? If so, is advisable to simply create a blanket exception for 6015 for any Citrix process? I would rather have one IPS rules policy rather than two if necessary.
Thanks in advance.
is it McAfee's recommendation to disable 6015 on Citrix servers?
IPS exception may work if Citrix processes are triggering this signature, but I have not seen any recommendations of just disabling this signature entirely or just a blanket exception for Citrix processes and this signature. You might want to open a Service Request to get these reviewed as possible false positives though (need a debug HIPS MER). Make sure you have the latest HIPS Content applied and that you are using the "McAfee Default" policies for Trusted Applications and IPS Rules in your policy assignments, in addition to any custom policies you have assigned.
McAfee recommends that you disable Application Protection Signature 432 on systems that run Citrix EdgeSight.
According to KB59683, signature 432 has been made into 6012 and 6015 in HIPS 8.