cancel
Showing results for 
Search instead for 
Did you mean: 
stern4141
Level 8

HIPS 8.0 IPS exception for network share issues

Jump to solution

Hi,

I am attempting to create IPS exceptions for 6010/6011 signatures for applications launched from network shares, however they don't seem to be working.  Utilizing other products than 6010/6011 signatures to provide whitelisting is not an option.

The IPS Event in IPS Reporting is showing the Threat Source Process Name in the following format:  \\servername\sharename\subfolder\subfolder\exectuable.exe

However, when I create an exception using this exact path and format for the Executable parameter, the exception is not working.

Can anyone shed any light on how to properly create this exception?  Thank you very much.

ePO 4.6.7

HIPS 8.0.0.2482

0 Kudos
1 Solution

Accepted Solutions
stern4141
Level 8

Re: HIPS 8.0 IPS exception for network share issues

Jump to solution

I believe I've found the issue:  replacing the leading "\\" with "*\" seems to work for executable & target executable file path.

*\servername\sharename\subfolder\subfolder\executable.exe

0 Kudos
2 Replies
stern4141
Level 8

Re: HIPS 8.0 IPS exception for network share issues

Jump to solution

I believe I've found the issue:  replacing the leading "\\" with "*\" seems to work for executable & target executable file path.

*\servername\sharename\subfolder\subfolder\executable.exe

0 Kudos
djcabz
Level 7

Re: HIPS 8.0 IPS exception for network share issues

Jump to solution

stern4141,

What happens if I do this on my local PC?

C:\servername\sharename\subfolder\subfolder\executable.exe


not a big deal if you are using signer and or file description and or hash... but someone folks may consider wildcarding and I just want to have folks consider the ramifications...


would using ?\servername\sharename\subfolder\subfolder\executable.exe  work in  your environment?  Might be safer, maybe?

0 Kudos