Is it possible to create a HIPS exception based on the threat type?
For example, if we only want to see events when a particular item is deleted from the registry, can we create an exception for creations and modifications? Is this something we can do from within the Advanced Parameters?
We are running HIPS 7 currently. Please let me know if you have any questions. Thanks!
I would also like to know the answer to this, as well as what additional parameters HIPS 8 affords.
My assumption would be that if it is not something that is added by creating an automatic exception, then you can't make an exception with that parameter.
Thanks for the post damageinc, I did try creating the automatic exception but it was not listed as an available field. I am hoping by using the Custom option within the Advanced Parameters that this would be possible.
Thanks Kary. I have run across several instances where it would be valuable to create exceptions based on the threat type.
Right now, we are receiving a lot of false positives for the Yunsip HIPS signature where the threat type is delete. According to the technical details of Yunsip, it only creates or modifies registry keys.
How would we go about requesting a product enhancement for this feature? Also, how would we request having this signature reviewed and possibly changed to prevent deletions from triggering events?
To submit a PER, please use the below KB article.
KB60021 - Information about Product Enhancement Requests for McAfee products
To have a possible false positive reviewed, please open a Service Request with McAfee Support. We will need HIPS debugging enabled, then reproduce the issue, and gather a MER file, as well as any other pertient details about the violation event.
KB72869 - How to enable Host Intrusion Prevention 7.0/8.0 debug logging
KB59385 - Minimum Escalation Requirements (MER) tool list for McAfee Security Products