cancel
Showing results for 
Search instead for 
Did you mean: 
thelostworld
Level 7

HIP 8 fault IPS detection : Suspicious Double File Extension Execution

I use HIP 8 and found a fault detection for Suspicious Double File Extension Execution (even the .exe file is not double file extension) - this is due to the path contains a FQDN e.g.

Time:  11/01/2011 12:10:55
Event:  Intrusion
IP Address/User:  abc def
Description:  wzzip.exe
Path: \\FIL001.ASIA.MYINTERNAL.COM\VOL2$\IT\WZZIP.EXE

Message:  Attack type: Suspicious Double File Extension Execution (Sig Id = 413)

Trying to put the full path as an exception but HIP 8 still found a fault detection, any suggestion ?

0 Kudos
4 Replies
Demeus
Level 7

Re: HIP 8 fault IPS detection : Suspicious Double File Extension Execution

I'm running into the same issue with the Suspicious Double File Extension Execution event (ID 413). I have several programs that run from a network share (ie. SCCM advertisements, login scripts), and I can't seem to create an override that will allow them to run without being flagged. Has anyone had any luck with exceptions for this event?

0 Kudos
McAfee Employee

Re: HIP 8 fault IPS detection : Suspicious Double File Extension Execution

Look at the event itself in the ePO console.  Is the executable listed as EXECUTABLE or TARGET EXECUTABLE?  Create an IPS exception using the info from the ePO event and see if it matches your IPS exception.

edit: You'll notice that the Threat Source Process Name is probably not WZZIP.EXE, but something else, like EXPLORER.EXE.  Review your event and the Advanced Details at the bottom of the event itself, and review the TARGET PATH for the full path of the WZZIP.EXE.  Modify your IPS Exception to match that of the event itself.

Message was edited by: Kary Tankink on 2/4/11 2:57:30 PM CST
0 Kudos
McAfee Employee

Re: HIP 8 fault IPS detection : Suspicious Double File Extension Execution

thelostworld wrote:

I use HIP 8 and found a fault detection for Suspicious Double File Extension Execution (even the .exe file is not double file extension) - this is due to the path contains a FQDN e.g.

The entire file path contains a .com and a .exe, which is why this signature triggers.

0 Kudos
thelostworld
Level 7

Re: HIP 8 fault IPS detection : Suspicious Double File Extension Execution

Absolutely YES, however, why HIPs detects the path as the executable file ?

0 Kudos