We are using Cisco SSL VPN with the Connect before logon enabled. Problem is that when a user logs into the VPN on an XP Professional workstation it Downloads the connect before logon. HIPS 8.0 is trigger on Signature 959. Prevent modification of the msgina registry key.
The process the is triggering this the msiexec.exe. I can exclude the msiexec but that seams like it would leave me open for alot of other malware to change the key using the windows installer. Is there a way to do an exclusion tied to the installation of the just the connect before logon piece? I ran the process explorer and watched the install and it appears the first thing that is launched is VPNDownLoader.exe. The stcexe.exe is triggered and msiexec.exe is opened under that.
Is there a way to do an exclusion tied to the installation of the just the connect before logon piece?
You can only create the IPS exception with the HIPS IPS event details that it detects. If the 3rd party application is using msiexec.exe, then that's how HIPS will see it.