Within custom signature expert subrules is it possible to use environment variables other than %systemroot% and %systemdrive%? On page 105 of the HIPS 8 Product Guide for ePO 4.5, it details the use of [iEnv SystemRoot] and [iEnv SystemDrive], but doesnt make mention of other environment variables such as %appdata%, %temp%, etc.
Wondering if anyone has tested it out and knows one way or another.Message was edited by: greatscott on 2/21/14 10:16:19 AM CST
See page 105 for applicable environment variables for IPS.
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide
I was able to get variables to resolve using the %VARIABLE% syntax, however, every time it resolved the directory, it left out the backslashes. E.g., %SYSTEMROOT% resolves to C:WINDOWS, instead of C:\WINDOWS. %USERPROFILE% (for SYSTEM account) resolves to C:WINDOWSSYSTEM32CONFIGSYSTEMPROFILE, instead of C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE. I'm not sure why this is though.
The [iEnv SystemRoot] does not appear to be the correct syntax for HIPS 8. I'll have to test this further. I would suggest contacting McAfee Support to formally open a Service Request.Updated: After testing... on 5/14/14 8:31:26 PM CDT