cancel
Showing results for 
Search instead for 
Did you mean: 
dmease729
Level 11

Can meaningful exceptions be configured for signature 1226?

Hi,

A bit of background before the actual question, which in summary is "Can meaningful exceptions be configured for signature 1226?".  I am also sigs 531 and 532 into this as well, as I am running into the same problem.

Host IPS8.0 currently running in adaptive mode.  To confirm adaptive mode was operating as required, I tweaked signature 413 (severity and client rules settings), copied calc.exe to calc.xls.exe, and then ran the new executable.  Sent the props, and run the property translater task, and hey presto it is sitting in ePO as an IPS client rule.

Now I know that I ran the executable from Windows Explorer, so what I am seeing makes sense.  The description of the signature in question (snipped) is:

"...This event indicates that a file with two extensions (such as readme.txt. exe) was run..."
"...To execute legal programs that contain multiple extensions ... ... create an exception for this security event so that your trusted file is exempt from triggering this signature."

So coming back to the fact that I know what happened, examining a few fields in the client rule generated:

Full executable name: C:\WINDOWS\EXPLORER.EXE
Secondary Full executable name: C:\TEMP\CALC.XLS.EXE

Makes sense!  If I see something else along these lines that I have initiated, I will have all of the information to act, either initiating a security incident or creating relevant exceptions.

While I was testing, there were a number of other things happening in the background, and I noted some other client rules generated:

Sig ID: 1226 (...MS IIS process has tried to modify a file outside its own directory...)
Full executable name: C:\WINDOWS\SYSWOW64\INETSRV\W3WP.EXE
<Other information deemed helpful in this case>: none
<Further information obtainable from HIPS console on target server>: none

So... do I take it from this that if the action is legitimate, we can only configure an exception for W3WP.EXE as a whole, no matter what it is trying to modify, as we dont know in this instance what it has tried to modify?  There is no way to add an exclusion to say 'W3WP.EXE can modify X, Y and Z, but that is all'?

cheers,

16 Replies
greatscott
Level 12

Re: Can meaningful exceptions be configured for signature 1226?

yes, you can create exceptions for 1226 without using just the executable as a whole. for some reason i have had some issues with this signature though. first what you would do is look at a 1226 event. as you noted, it will be w3wp.exe as the threat source process name attempting to modify some other arbitrary file path. to find this path, look at the event in ePO, at the bottom under "Host IPS 8.0 Event Information". This path will be listed as "Files"

Once you have these bits of data, (the signature, threat source process name, and file), you can create the exception. In the exception, specify the signature, put the threat source process name in as the "executable", and your "files" will go under the parameters section in the exceptions builder.

so your answer is yes, you can specify that w3wp.exe can only modify x,y and z. you have to specify x,y, and z in the "parameters" section of the exceptions builder.

dmease729
Level 11

Re: Can meaningful exceptions be configured for signature 1226?

Hi,

First of all - great name :-)

In the IPS Client Rule in ePO, there is no "Host IPS 8.0 Event Information" link.  There are "Go to related System", "Go to related Computer Property" and "Go to related detected system".  The Host IPS 8.0 Event Information link tends to be listed in the events, but not the IPS client rules, which may be the issue here?  Is the question now "is it possible to get the information required from an IPS client rule (whilst in adaptive mode) to to configure a meaningful IPS exception"?  Or to put it another (harsh, maybe incorrect) way "Is adaptive mode next to useless for some signatures, when we are trying to determine exceptions after the initial logging period has come to an end"?

cheers,

greatscott
Level 12

Re: Can meaningful exceptions be configured for signature 1226?

dmease, i wasnt saying in the client rule, im talking about if you have adaptive mode turned OFF and you see a 1226 event come into ePO in the Threat Event log. Click into the specific 1226 event in ePO. Look toward the bottom for the advanced parameter data. You will see the section I am talking about. It will generally have a Files section, subject distinguished name, etc. That "files" section will yield the file name for the advanced parameter you are looking for.

Or you can heed Peter's advice and chalk it up to being a "Junk" rule. 

dmease729
Level 11

Re: Can meaningful exceptions be configured for signature 1226?

Hi guys,

Thanks for the feedback, it is appreciated!  In response to the above:

Peter - I tend to read a lot of the documentation, and when I get the chance I will get together a list of inconistencies or ambiguities in them.  The documentation is in general fantastic, dont get me wrong, but has caused me frustrations at time.  Also, best practise doesnt neccessarily mean the same as it must be followed - some of the best practise documentation lacks basic explanations (that are meaningful) discussing why things are done in certain ways.  Although my decision may have been wrong, we were on tight timescales, and didnt have a great deal of time to go through many logs (not the best situation, granted - and I am aware of the aggregation functions which would have speeded it up slightly).  Great comment on this signature also - I have come across a few situations like this :-)

Scott - my question stated I was running in adaptive mode :-)  Not having a go - I have done the same thing myself, and I genuinelly thank you for your comments - I like having these type of conversations (even if they point to me doing something wrong :-\ )

Peter - I dont understand the comment "You only use Adaptive mode for very short periods to get the format of the client exception correct." - If it is for formatting purposes only, what is the point of adaptive mode.  The best practise section in the install guide clearly states:

"By setting representative hosts in adaptive mode during the pilot, you create a tuning configuration for each usage profile or application. The IPS feature then allows you to take any, all, or none of the client rules and convert them to server-mandated policies."

In this case I wouldnt be able to take the client rules generated and convert them to server mandated policies, as they would be too general, and if I wanted to make them more specific I wouldnt have the information to do so.  Genuine question - I really feel like I am missing something here!

Cheers,

greatscott
Level 12

Re: Can meaningful exceptions be configured for signature 1226?

i dont particularly subscribe to the whole "adaptive mode" deal. i like creating the exceptions without all the tertiary crap that gets put into exceptions that are created automatically.

back to the 1226 and w3wp.exe talk. i feel like right on the same day that the HIPS content update was released last month (14 august 2013), we had a definite inflection in w3wp.exe events, for several threat names. the content update did not include any of the threat names that are firing in the graph below, but i cant help but think they were somehow modified. the lines are threat target hostnames, and they are IIS servers, also these events are filtered by w3wp.exe threat source process name.

so, sequence of events:

1. 14 August 2013 - HIPS content was released

2. 15 August 2013 - Major inflection of w3wp.exe related events on all IIS servers

3. 2 September 2013 - People making posts about how to tune 1226 and w3wp.exe (could just be coincidental)

Inflection:

w3wp.png

damageinc
Level 7

Re: Can meaningful exceptions be configured for signature 1226?

Scott,

Thanks for posting the info about the last content update.  I also saw a massive blow up in the IIS-related events that started on the date of the most recent content update.  I wonder if there was a phantom update to this signature, because they were not listed in the August content update.

Secondly, if a McAfee employee is on the record on the forums as saying a certain signature is "junk", then why does this signature even exist?

-DamageInc

0 Kudos
greatscott
Level 12

Re: Can meaningful exceptions be configured for signature 1226?

Another content update, another spike in 1226 events related to w3wp.exe.... from tens of events per day, to hundreds, right after the content update is made...

dmease729
Level 11

Re: Can meaningful exceptions be configured for signature 1226?

Hello all,

Could I ask a favour and request that a seperate thread is created for the event spikes, with a cross reference to this thread if required.  I would like to discuss my initial question further in this thread - although I appreciate that from the looks of it there is a definite concern with the HIPS updates! :-)

Carrying on from the initial question, Kary - as you advise that the IPS Client Rules need to be tweaked when added to the policy, could you confirm if I am correct with the following statement:  IPS Client Rules (generated whilst running in adaptive mode), when added to an IPS policy, are very general and broad, and will require tweaking to ensure that exceptions only apply to further specified parameters such as files, registry locations etc.

If the above is correct, again I fail to see the benefit of adaptive mode, as it is highly unlikely that the person configuring the required exception will be able to enumerate all of the possibilities for files/registry entries etc (they will need to, otherwise the rule will be too generic).  Even if they get in a subject matter expert, the SME may not know the required configuration themselves. 

In an enterprise deployment, where there are hundreds of applications, there is not a chance that all of the required exceptions will be known, and each group will be relying on the information provided by HIPS.  For example, programA.exe, related to Application A has caused an IPS client rule to be created (still running in adaptive mode here).  The details of the rule generated are passed to those responsible and accountable for application A to confirm whether or not this is expected behaviour.  In the case of adaptive mode, the level of information required is not available.  This information *would* have been available in logging mode.

I am failing to see under what real world situation adaptive mode is useful.  If an IPS client rule is generated it *must* be reviewed by somebody familiar with the application in question to confirm if an exception can be created from it.  And in this case they will simply come back to advise that there is not the level of information required to make a decision.

The *only* possible exception to what I currently believe (that Adaptive mode is close to useless - which has to be incorrect) are those signatures that have 'allow creation of client rules' enabled in them by default, as I would assume that the creator of those signatures has deemed that due to the type of signature, the level of detail included in an IPS Client Rule would be actionable and sufficient to make a decision.  I cannot test at the moment, but will have a look into when I get a moment.

Cheers,

McAfee Employee

Re: Can meaningful exceptions be configured for signature 1226?

Carrying on from the initial question, Kary - as you advise that the IPS Client Rules need to be tweaked when added to the policy, could you confirm if I am correct with the following statement:  IPS Client Rules (generated whilst running in adaptive mode), when added to an IPS policy, are very general and broad, and will require tweaking to ensure that exceptions only apply to further specified parameters such as files, registry locations etc.

IPS Client Rules learned in Adaptive mode are very SPECIFIC, as they have specific details to the exectuable, files, registry keys, workstation name, etc.  You will need to tweak the IPS exception to be LESS specific, to cover events that are similar in nature (e.g, if you don't remove the WORKSTATION NAME parameter from an IPS exception, that exception will only work on a single system, regardless if the policy is applied to any number of systems).  

Think about it in terms of a Firewall Rule.  Would you create a Firewall Rule for every specific application (every path, MD5 hash, signer, app description), for every specific remote port, specific remote IP, specific local IP, specific local port, etc.?  You could, but your policy would be so large that it would be an administrative nightmare, along with product issues that could occur from trying to run a policy with thousands and thousands of rules.  Instead, combine certain properties together to come up with rules that is generic in nature, but still specific enough to not let unnecessary/undesired traffic though.

As far as tuning IPS events, refer the HIPS 8.0 FAQ.  It details how that process should work.

KB73399 - FAQs for Host Intrusion Prevention 8.0

https://kc.mcafee.com/corporate/index?page=content&id=KB73399

Client IPS/FAQ - IPS Events

IPS signature events are one of the top call generators for the Host Intrusion Prevention (Host IPS) product. Normally, these inquires are the result of IPS Signature Event triggers. In general, Host IPS offers IPS and firewall protection for endpoint systems as part of a layered protection strategy. This layered protection strategy should include Network gateway firewall/intrusion systems or filtering, endpoint anti-virus, and endpoint anti-malware applications, in addition to Host IPS. 

Host IPS signature content provides security to protect against known system vulnerabilities and unknown (zero-day) vulnerabilities. Zero-day is defined as the gap between unpatched systems and subsequently applying released security updates for confirmed vulnerabilities. Host IPS content contains generic buffer overflow and other generic signature mechanisms to protect systems during this zero-day gap period. However, McAfee recommends that you apply all operating system and application-specific security updates as soon as practical within your environment to reduce frequent or repeated IPS signature detections. 

McAfee advises that you follow a general methodology for reviewing operating system and application-specific security updates, and also patch systems and applications on a monthly or regular basis. McAfee also advises that you review monthly Host IPS signature updates for correlation to specific vendor security updates that are released. Host IPS signatures mapping directly to vendor-available security updates can be safely disabled on updated systems. McAfee recommends that you review enabled signature content and system patching with available security updates monthly to reduce the likelihood of excessive false positives on already updated systems.

Use the following general methodology when assessing IPS signature events:

  1. Identify the signature number that is being triggered.
  2. Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
  3. Review the References CVE description link(s), if any are included in the description information for that signature.
  4. Identify whether any Microsoft Technet Security Bulletins are linked for the applicable vulnerability, and identify whether any Microsoft security updates have been released that resolve the vulnerability.
  5. Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied (as noted above):
    1. If so, the applicable IPS Signature may be disabled on the systems having the associated Microsoft Security Updates applied.
    2. If not, McAfee recommends that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.
  6. If no CVE description links are noted for the triggering IPS signature, review all advanced details for the received IPS event.
  7. Identify whether the event triggers correlate to normal business usage or process.
  8. Identify whether the systems experiencing the event have all of the latest Microsoft Security Updates applied.
  9. Identify whether the IPS event is specific for a third-party process, such as Adobe or other non-Microsoft application, process, or other tool. If so, review all applicable security updates from the vendor and ensure they are applied on the systems.
  10. If the signature is still triggering after an applicable vendor security update has been applied, consider the event a false positive and either disable the signature to the updated systems, or create an IPS exception for the updated systems to stop all further signature detections.
  11. If there is no applicable vendor security update available, determine whether the affected systems have current anti-virus and anti-malware definitions for McAfee VirusScan or other installed endpoint protection application. Perform a full scan on the affected systems.
  12. Determine whether the affected systems are protected by other perimeter security measures, such as Network Intrusion Detection.
  13. Enable verbose debug logging by enabling Log security violations for Host IPS so advanced information can be collected in the HipShield.log. See article KB54473 for relevant information regarding IPS security violations in the HipShield.log.
  14. Contact McAfee support for further analysis.

0 Kudos