cancel
Showing results for 
Search instead for 
Did you mean: 

FireWire Attack thwarted by McAfee HIPS?

I've been working on a FireWire Attack POC using Inception (possibly dangerous link removed by Moderator) and it looks like the attack is being thwarted by McAfee HIPS although all I can see is generic intrusion events in the HIPS log.

Can anybody confirm that McAfee HIPS is capable of doing this?

Thanks a lot

Vlad

3 Replies
exbrit
Level 21
Report Inappropriate Content
Message 2 of 4

Re: FireWire Attack thwarted by McAfee HIPS?

Moved to HIPs by Moderator.

I also remove the link to hacking software as it's against forum terms of service to post such links.

shakira
Level 10
Report Inappropriate Content
Message 3 of 4

Re: FireWire Attack thwarted by McAfee HIPS?

You can see the full HIPs event in the log file on the endpoint it happened on. It should be under Appdata\roaming\McAfee something something.... \hipsshield.log

Re: FireWire Attack thwarted by McAfee HIPS?

Quick and dirty way of seeing if HIPS is successfully defending = disable HIPS and rerun the test - confirm that the attack actually works first, before enabling HIPS protection.  I will add the standard caveats of ensuring you are in a controlled, segregated environment.  If the attack works, restore victim and rerun test to see if it fails.  If you are getting a large number of events that appear to be related, you will need to do some tuning first (ie leave the victim running for a while, look at 'standard' events and try to tune out the noise) then rerun the attack test.  Path to HipShield.log here.  Ok, hyperlinks still not working!  Link here: https://kc.mcafee.com/corporate/index?page=content&id=KB51517

It could be the case that the protection against this attack is offered via one of the generic signatures - would be grand if you could follow up with results if possible?