Showing results for 
Search instead for 
Did you mean: 
Level 12

Environment variables in HIPS custom signatures

Within custom signature expert subrules is it possible to use environment variables other than %systemroot% and %systemdrive%? On page 105 of the HIPS 8 Product Guide for ePO 4.5, it details the use of [iEnv SystemRoot] and [iEnv SystemDrive], but doesnt make mention of other environment variables such as %appdata%, %temp%, etc.

Wondering if anyone has tested it out and knows one way or another.

Message was edited by: greatscott on 2/21/14 10:16:19 AM CST
0 Kudos
2 Replies
Level 9

Re: Environment variables in HIPS custom signatures

I don't have an answer but I had the exact same question.

0 Kudos
McAfee Employee

Re: Environment variables in HIPS custom signatures

See page 105 for applicable environment variables for IPS.

PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide


I was able to get variables to resolve using the %VARIABLE% syntax, however, every time it resolved the directory, it left out the backslashes.  E.g., %SYSTEMROOT% resolves to C:WINDOWS, instead of C:\WINDOWS.  %USERPROFILE% (for SYSTEM account) resolves to C:WINDOWSSYSTEM32CONFIGSYSTEMPROFILE, instead of C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE.  I'm not sure why this is though.

The [iEnv SystemRoot] does not appear to be the correct syntax for HIPS 8.  I'll have to test this further.  I would suggest contacting McAfee Support to formally open a Service Request.

Updated: After testing... on 5/14/14 8:31:26 PM CDT