I'm working on tuning events from HIPS signature 3819 - Vulnerability in HTML Help ActiveX Control. In attempting to isolate false positives I would like to sort events by "API Name" which is part of each HIPS event info. However, in the query builder chart and filter pages there are no "API Name" options. I can put the data into the table and add a column for "API Name" but it's under Endpoint Security Threat Events, not Host IPS Event Info. In any case the field is blank since the data did not come from ENS.
Does anyone have experience here or thoughts on this? Any other tips on working with this signature? Thanks!
Thanks, I was afraid of that. I think I've spoken with you via McAfee support.
Still wondering if anyone has any practical experience or lessons learned regarding tuning this signature.
Generally speaking, follow KB73399 for IPS tuning.
KB73399 - FAQs for Host Intrusion Prevention 8.0
Review the section titled “Top Issues -> Client IPS/FAQ - IPS Events”.
For Sig 3819, it covers CVE-2007-0214 (see signature description), which is a Win XP/2000/2003 vulnerability. For vulnerability-based signatures, this is how you'll tune basically.
The epo has bad support for the so called "IPS parameters" data. Except from file name none of them can be searched or sorted from the ePo webinterface.
So ony way i was able to do something usefull with hips events is by doing sql query's directly on the database (as excel can sort much better :-) )