cancel
Showing results for 
Search instead for 
Did you mean: 

Create a signature exception for an entire folder

My organization makes use of of a few different web portal technologies, both of which create compressed temp files on the disk.  We have HIPS 7.0, and a signature for IIS6 Evelope - File Modification by IIS Process.

I know the process and the user account it's run as.  I also know the location used for the temp files.  The temp file names, however, change constantly.  What I'd like to be able to do is create an exception to this particular signature for that location, rather than one that excludes a particular file name.

Is that possible, and if so, can anyone shed some light as to how?

7 Replies
bgable
Level 11
Report Inappropriate Content
Message 2 of 8

Re: Create a signature exception for an entire folder

The best way is to create an exception from the event itself.  You can incorporate a wildcard if you need to but make sure you have other parameters to make the signature specific to that process and user account.

Re: Create a signature exception for an entire folder

I can't get this to work either.  Is it possible to exclude an entire folder from a signature?

I'm testing on the Adobe folder for signature 3905.  I've gone bare-bones with my test case: no parameters defined aside from Executable, and within the Executable, only File Name defined.  I've tried every iteration of wildcards.  Right now, I have C:\**\ADOBE\**\*.EXE .

3905 is still being triggered by executables in Adobe folders though.  What am I missing?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Create a signature exception for an entire folder


eyanchuk wrote:


Is it possible to exclude an entire folder from a signature?


Yes, you can exclude entire directories, if you wish.  The syntax would be similar to the previous suggestions.

C:\**\ADOBE\**

or

C:\**\ADOBE\

Re: Create a signature exception for an entire folder

C:\**\FOLDERNAME\ does appear to be working.

Interestingly, C:\**\FOLDERNAME\**\*.EXE also seemed to work.

But, why doesn't **\FOLDERNAME\ or just FOLDERNAME\ work?

Re: Create a signature exception for an entire folder

I'm stuck.  My folder exceptions aren't working 100% of the time.  Some examples:

I'm trying to exclude C:\PROGRAM FILES (86)\MICROSOFT LYNC\UCMAPI.EXE with C:\**\MICROSOFT*\ or C:\MICROSOFT LYNC\, but nothing is working.

Neither is C:\USERS\NAME\APPDATA\LOCAL\CITRIX\GOTOMEETIN\3211\G2MUPLOAD.EXE with C:\**\CITRIX\.

Any thoughts on why this isn't working?

Re: Create a signature exception for an entire folder

I think there might be a problem if there's a space in the file path, as in PROGRAM FILES (X86).  Does anyone know about this issue or how to get around it?

shakira
Level 10
Report Inappropriate Content
Message 8 of 8

Re: Create a signature exception for an entire folder

Hi,

If you want to exclude the hips file: "C:\PROGRAM FILES (86)\MICROSOFT LYNC\UCMAPI.EXE" then you need to write the exclusion like this (following your way above):

**\Microsoft*\**

Or

**\Microsoft*\*.exe

But my suggestions are these since you know the directory

**\Microsoft Lync\**

OR

**\Microsoft Lync\*.exe

In your example without the stars at the end, you are telling it to literally look for and ignore a directory (C:\**\MICROSOFT*\). It doesn't know to keep looking deeper for any files in that directory. This seems to be your problem for the other example well.