cancel
Showing results for 
Search instead for 
Did you mean: 

HIPS 7.0.4 Application Blocking Exceptions

I've successfully created an Application Blocking Rule to stop an application from executing but now I'd like to create an exception for a specific AD user group to allow them to run the application.  Is this possible in HIPS 7.0.4?

I do not want to use an IPS rule/exception because I have IPS protection set to logging for compatibility and stability reasons.

Thanks,

Steve

6 Replies
bgable
Level 11
Report Inappropriate Content
Message 2 of 7

Re: HIPS 7.0.4 Application Blocking Exceptions

Unfortunately, there was a limitiation outlined in the Known Issues section of the release notes.

The issue stemmed from an architectural problem that could not be easily corrected in 7.0.

IPS exceptions allow only all users or groups or specified local users to be entered as users. Selecting local groups or domain groups as users is not supported. (364942)

Using AD groups will be fuilly supported in HIP 8.0 due out late Q3 2010.

Re: HIPS 7.0.4 Application Blocking Exceptions

Is it possible to create exceptions at all for Application Blocking Rules?  As far as I can tell, exceptions only pertain to IPS rules.

Highlighted
bgable
Level 11
Report Inappropriate Content
Message 4 of 7

Re: HIPS 7.0.4 Application Blocking Exceptions

Yes, you should be able to create exceptions either off the event itself or by running AB in adaptive mode which will automatically create a client rule (exception).

Re: HIPS 7.0.4 Application Blocking Exceptions

I tried creating an exception off of the event in the log and keep getting a "Create Exception Failed" error, is there a log that will give me more details about the error?

Thanks again for your help.

bgable
Level 11
Report Inappropriate Content
Message 6 of 7

Re: HIPS 7.0.4 Application Blocking Exceptions

I would call that a defect then.

Enable verbose orion logging for the HIP extension and then open a support case.

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: HIPS 7.0.4 Application Blocking Exceptions

The "Create Exception" option in the ePO console only works for Host IPS events (not Network IPS or App Blocking events).

You can create a "Trusted Application" rule and mark that application to be trusted by the App Blocking module, for application hooking.  This will create an application blocking rule to allow your application.

There is not really "exception" rules for Application Blocking.  If you wanted some type of "block all users from executing this application, except for certain users" functionality, you could try creating a custom Host IPS signature to block the "execute" operation, and then use an IPS exception to allow certain users to override this signature.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community