cancel
Showing results for 
Search instead for 
Did you mean: 

HIPS 8.0 Executables in Firewall Rules

Jump to solution

What attributes of the executable does the Firewall Rule match on?

Obvious to me are filename, fingerprint, and signerName.  Does it match on description as well?

If am also unclear on what the wildcard is for signerName.  Obviously the "*" is for any signer.  My question is whether that also picks up unsigned executables as well?  In my experience, it doesn't appear that it does.

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS 8.0 Executables in Firewall Rules

Jump to solution

File Description, yes.

KB71735 - Host Intrusion Prevention 8.0 - Executable File Description field

The wildcard for Signer is verifying if the exectuable is digitally signed at all.  If not, then this criteria does not match.  There is no functionailty looking for "unsigned" exectuables; the only way to match unsigned apps is to use None.

0 Kudos
3 Replies
McAfee Employee

Re: HIPS 8.0 Executables in Firewall Rules

Jump to solution

File Description, yes.

KB71735 - Host Intrusion Prevention 8.0 - Executable File Description field

The wildcard for Signer is verifying if the exectuable is digitally signed at all.  If not, then this criteria does not match.  There is no functionailty looking for "unsigned" exectuables; the only way to match unsigned apps is to use None.

0 Kudos

Re: HIPS 8.0 Executables in Firewall Rules

Jump to solution

In the Host IPS Catalog under Executable to have an entry for McAfee Signed Executables the description and fingerprint must be blank, correct?  Should the filename be blank as well or wildcarded?

If an executable is sometimes signed and sometimes not, it would require two entries in order to match both?

0 Kudos
McAfee Employee

Re: HIPS 8.0 Executables in Firewall Rules

Jump to solution

Should the filename be blank as well or wildcarded?

Blank entries are effectively wildcards for that entry.

If an executable is sometimes signed and sometimes not, it would require two entries in order to match both?

Just use a single exectuable entry with Signer set to NONE, then it will match both signed/unsigned.  Only use the Signed criteria if you're specifically trying to match against a signed exectuable (whether it be ANY signed or specific digital certficate signed)

The 4 Executable criteria fields (File Description, Filename, Hash, Signer) do not all have to be used.  Mix/match the criteria according to your needs.

0 Kudos