cancel
Showing results for 
Search instead for 
Did you mean: 
kenobe
Level 10

HIPS 7 and 8 Question - Blocking/Reporting Hashes

Jump to solution

All, I know the functionality is in place to block hashes with HIPS.  The question is this - can I set HIPS to only REPORT on a hash, when found, and NOT block it?

Thanks, Ken

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS 7 and 8 Question - Blocking/Reporting Hashes

Jump to solution

With HIPS 7.0, you would use the Application Blocking module, but it has no LOG ONLY function (only BLOCK or ALLOW).

With HIPS 8.0, you would be using a custom Host IPS signature (see KB below), and you can set this signature to a LOG only severity, but it requires you to set a Protection Policy to LOG.  Example: Set the Protection Policy for LOW severity sigantures to LOG, however, this will activate all LOW severity signatures to log.  If you do not wish to use any of the LOW severity signatures, you'll need to modify all other LOW severity signatures and set their Severity level to DISABLED.  Basically, you'd have all LOW severity signatures disabled, except for your custom IPS signature for app blocking by hashes.

KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature

0 Kudos
2 Replies
McAfee Employee

Re: HIPS 7 and 8 Question - Blocking/Reporting Hashes

Jump to solution

With HIPS 7.0, you would use the Application Blocking module, but it has no LOG ONLY function (only BLOCK or ALLOW).

With HIPS 8.0, you would be using a custom Host IPS signature (see KB below), and you can set this signature to a LOG only severity, but it requires you to set a Protection Policy to LOG.  Example: Set the Protection Policy for LOW severity sigantures to LOG, however, this will activate all LOW severity signatures to log.  If you do not wish to use any of the LOW severity signatures, you'll need to modify all other LOW severity signatures and set their Severity level to DISABLED.  Basically, you'd have all LOW severity signatures disabled, except for your custom IPS signature for app blocking by hashes.

KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature

0 Kudos
kenobe
Level 10

Re: HIPS 7 and 8 Question - Blocking/Reporting Hashes

Jump to solution

Thanks much

0 Kudos