cancel
Showing results for 
Search instead for 
Did you mean: 

Creating exceptions by threat type

Is it possible to create a HIPS exception based on the threat type?

For example, if we only want to see events when a particular item is deleted from the registry, can we create an exception for creations and modifications?  Is this something we can do from within the Advanced Parameters?

We are running HIPS 7 currently.  Please let me know if you have any questions.  Thanks!

0 Kudos
5 Replies
damageinc
Level 7

Re: Creating exceptions by threat type

I would also like to know the answer to this, as well as what additional parameters HIPS 8 affords.

My assumption would be that if it is not something that is added by creating an automatic exception, then you can't make an exception with that parameter.

0 Kudos

Re: Creating exceptions by threat type

Thanks for the post damageinc, I did try creating the automatic exception but it was not listed as an available field.  I am hoping by using the Custom option within the Advanced Parameters that this would be possible.

0 Kudos
McAfee Employee

Re: Creating exceptions by threat type

ugongetralphed wrote:

Is it possible to create a HIPS exception based on the threat type?


No, I don't think this is possible.

0 Kudos

Re: Creating exceptions by threat type

Thanks Kary.  I have run across several instances where it would be valuable to create exceptions based on the threat type. 

Right now, we are receiving a lot of false positives for the Yunsip HIPS signature where the threat type is delete.  According to the technical details of Yunsip, it only creates or modifies registry keys.

How would we go about requesting a product enhancement for this feature?  Also, how would we request having this signature reviewed and possibly changed to prevent deletions from triggering events?

Thanks again!

0 Kudos
McAfee Employee

Re: Creating exceptions by threat type

To submit a PER, please use the below KB article.

KB60021 - Information about Product Enhancement Requests for McAfee products

To have a possible false positive reviewed, please open a Service Request with McAfee Support.  We will need HIPS debugging enabled, then reproduce the issue, and gather a MER file, as well as any other pertient details about the violation event.

KB72869 - How to enable Host Intrusion Prevention 7.0/8.0 debug logging

KB59385 - Minimum Escalation Requirements (MER) tool list for McAfee Security Products

0 Kudos