cancel
Showing results for 
Search instead for 
Did you mean: 
steve560
Level 7

HIPS 7.0.4 Application Blocking Exceptions

I've successfully created an Application Blocking Rule to stop an application from executing but now I'd like to create an exception for a specific AD user group to allow them to run the application.  Is this possible in HIPS 7.0.4?

I do not want to use an IPS rule/exception because I have IPS protection set to logging for compatibility and stability reasons.

Thanks,

Steve

0 Kudos
6 Replies
bgable
Level 11

Re: HIPS 7.0.4 Application Blocking Exceptions

Unfortunately, there was a limitiation outlined in the Known Issues section of the release notes.

The issue stemmed from an architectural problem that could not be easily corrected in 7.0.

IPS exceptions allow only all users or groups or specified local users to be entered as users. Selecting local groups or domain groups as users is not supported. (364942)

Using AD groups will be fuilly supported in HIP 8.0 due out late Q3 2010.

0 Kudos
steve560
Level 7

Re: HIPS 7.0.4 Application Blocking Exceptions

Is it possible to create exceptions at all for Application Blocking Rules?  As far as I can tell, exceptions only pertain to IPS rules.

0 Kudos
bgable
Level 11

Re: HIPS 7.0.4 Application Blocking Exceptions

Yes, you should be able to create exceptions either off the event itself or by running AB in adaptive mode which will automatically create a client rule (exception).

0 Kudos
steve560
Level 7

Re: HIPS 7.0.4 Application Blocking Exceptions

I tried creating an exception off of the event in the log and keep getting a "Create Exception Failed" error, is there a log that will give me more details about the error?

Thanks again for your help.

0 Kudos
bgable
Level 11

Re: HIPS 7.0.4 Application Blocking Exceptions

I would call that a defect then.

Enable verbose orion logging for the HIP extension and then open a support case.

0 Kudos
McAfee Employee

Re: HIPS 7.0.4 Application Blocking Exceptions

The "Create Exception" option in the ePO console only works for Host IPS events (not Network IPS or App Blocking events).

You can create a "Trusted Application" rule and mark that application to be trusted by the App Blocking module, for application hooking.  This will create an application blocking rule to allow your application.

There is not really "exception" rules for Application Blocking.  If you wanted some type of "block all users from executing this application, except for certain users" functionality, you could try creating a custom Host IPS signature to block the "execute" operation, and then use an IPS exception to allow certain users to override this signature.

0 Kudos