cancel
Showing results for 
Search instead for 
Did you mean: 
relayer77
Level 10

Create signature to generate event when an .exe runs

MA 4.0 windows

HIPs 7.0 patch 6.0.1

I want to create a signature in HIPs that will generate an event whenever sc.exe is run on a system in my environment.

Under IPS rules, I tried creating a new signature under both the 'new signatue' button and with the 'add signature wizard' process. I tried various settings for severity level and tried it with and without allowing client rule creation. On a test box I would run sc.exe , and used wakeups for testing. I did wait for the IPS property translator to run , and in 2 cases let the settings run overnight.. it won't work.

Logging is set during testing to correspond with the severity level in the signature created.

I've been able to test multiple other signatures that I've  created, and they've all worked. One example is a registry DWORD value change. If it goes from 1 to 0 zero, I created a signature to log and generate an event, and it worked just fine.

I can' t get an event to generate for sc.exe in particular. Any tips would be appreciated.

0 Kudos
3 Replies
McAfee Employee

Re: Create signature to generate event when an .exe runs

In your custom signature Subrule, try:

Rule type: Files

Operations: ALL (specifically create).

Parameters:  Include Files sc.exe  (or *\sc.exe)

0 Kudos
relayer77
Level 10

Re: Create signature to generate event when an .exe runs

I have tried what you have suggested, but it still didn't work. Also, we have found that when we run sc.exe to test the signature, we get an event consistently that reports a *different* event. The event we get states that a 'tool that enables the remote creation of services has run. Weird.

0 Kudos
relayer77
Level 10

Re: Create signature to generate event when an .exe runs

Anyone?

0 Kudos