cancel
Showing results for 
Search instead for 
Did you mean: 
damageinc
Level 7

Exception Wildcards Traversing Dot Characters in File Paths

Is there any possible way to account for files with multiple dots in their names or file paths with folders that contain dots when writing HIPS 8 exceptions?

For example, let's say you have the following paths in an event:

C:\WINDOWS\EPO.4.6\TEST\TEST\123.exe

If you're using wildcards, you can't make an exception like this:

?:\WINDOWS\**\123.exe

or this:

?:\WINDOWS\*\TEST\TEST\123.exe

You would have to make the exception like this:

?:\WINDOWS\*.*.*\**\123.exe

Is there some way to account for multiple dots in a path when doing HIPS 8 exceptions with wildcards?  Surely I must be missing something obvious.

0 Kudos
6 Replies
McAfee Employee

Re: Exception Wildcards Traversing Dot Characters in File Paths

If you're using wildcards, you can't make an exception like this:

?:\WINDOWS\**\123.exe

You can't use a wildcard for the drive letter, but the rest works.

C:\WINDOWS\**\123.exe

**\WINDOWS\**\123.exe

C:\WINDOWS\*\TEST\TEST\123.exe

**\\WINDOWS\*\TEST\TEST\123.exe

For C:\WINDOWS\EPO.4.6\TEST\TEST\123.exe, these all should work:

C:\WINDOWS\*.*.*\TEST\TEST\123.exe

C:\WINDOWS\*.4.6\TEST\TEST\123.exe

**\WINDOWS\EPO.*.*\TEST\TEST\123.exe

**\WINDOWS\EPO.**\TEST\TEST\123.exe

0 Kudos
damageinc
Level 7

Re: Exception Wildcards Traversing Dot Characters in File Paths

Are you sure you can't use "?" as a single character wildcard for a drive letter?  I have a lot of exceptions like this, and they do work.

Also, what is the significance of the double stars and the double slashes at the beginning of some of your examples?

Ultimately, the group of the four examples tells me that you can't use double or single asterisk wildcards to traverse a path that has period characters in it.  Why, however, is **\WINDOWS\EPO.**\TEST\TEST\123.exe valid?  Shouldn't it fail because there would be an extra period in the EPO.4.6 folder?

0 Kudos
McAfee Employee

Re: Exception Wildcards Traversing Dot Characters in File Paths

Are you sure you can't use "?" as a single character wildcard for a drive letter?  I have a lot of exceptions like this, and they do work.

Hmm, it does seem to work for Exectuables (haven't seen it work before), but if you use the FILES parameter, it does not.

Also, what is the significance of the double stars and the double slashes at the beginning of some of your examples?

** and * are treated differently in HIPS (and VSE).  ** ignores the backslash characters, per the product documentation (KB71522). 

Ultimately, the group of the four examples tells me that you can't use double or single asterisk wildcards to traverse a path that has period characters in it.  Why, however, is **\WINDOWS\EPO.**\TEST\TEST\123.exe valid?  Shouldn't it fail because there would be an extra period in the EPO.4.6 folder?
The ** covers any characters (including backslashes) between EPO. and \TEST.  Using one * would exclude backslashes, but would still work.

0 Kudos
McAfee Employee

Re: Exception Wildcards Traversing Dot Characters in File Paths

Also, sorry, the double slashes was a mistype (\ and W together are hard to distinguish).  That was supposed to be a single \ character.

0 Kudos
greatscott
Level 12

Re: Exception Wildcards Traversing Dot Characters in File Paths

sort of off topic but sort of on topic:

can you use wildcards in the threat source username field? specifically when working to wildcard out the domain or system name before the username?

so instead of creating exceptions for:

systemderp\ktankink

domainderp\ktankink

could you just write:

*\ktankink

Thanks!

Message was edited by: greatscott on 3/21/14 9:59:23 AM CDT
0 Kudos
McAfee Employee

Re: Exception Wildcards Traversing Dot Characters in File Paths

I tested the following (including local system names and domain names with wildcards) and it worked fine.

*\administrator

systemna*\administrator

domainna*\administrator

0 Kudos