cancel
Showing results for 
Search instead for 
Did you mean: 
cakeboss
Level 7

HIPS 8.0 rule for preventing creation of specific file names

Jump to solution

Is it possible to create a custom HIPS signature or use any other HIPS setting to block specific file names from being created?

I've been able to create a rule that stop them from being executed by selecting "Program" from rule type, however I've been tasked with making sure files with specific names never get on the machine.  I made an Access Protection rule in VSE for this, however because AP events are low severity, they are not sent to the ePO server within 5 minutes like High severity HIPS rules are.  I've attempted creating a HIPS rule to block specific file names from being written to the system using "Files" rule type, but that seems to be more for protecting existing files than preventing new ones from being created, which brings me back to the original question:

Is it possible to create a custom HIPS signature or use any other HIPS setting to block specific file names from being created on a system?

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS 8.0 rule for preventing creation of specific file names

Jump to solution

You would use the FILES engine.  In the INCLUDE FILES parameter, specify a path/filename (if no path, use **\ ; just the filename won't work).  Multiple INCLUDE FILES parameters will 'OR' together.  Choose the Operations, as desired.

Something like:

2014-02-10 17_26_45-ePolicy Orchestrator 4.6.6 (Build_ 176).jpg

0 Kudos
4 Replies
McAfee Employee

Re: HIPS 8.0 rule for preventing creation of specific file names

Jump to solution

You would use the FILES engine.  In the INCLUDE FILES parameter, specify a path/filename (if no path, use **\ ; just the filename won't work).  Multiple INCLUDE FILES parameters will 'OR' together.  Choose the Operations, as desired.

Something like:

2014-02-10 17_26_45-ePolicy Orchestrator 4.6.6 (Build_ 176).jpg

0 Kudos
cakeboss
Level 7

Re: HIPS 8.0 rule for preventing creation of specific file names

Jump to solution

I tried this but it doesn't seem to work.  I hope I'm being clear enough on what I'm trying to do.  I'm trying to stop this file from being placed on or make any changes to the system.TI1.jpg

0 Kudos
McAfee Employee

Re: HIPS 8.0 rule for preventing creation of specific file names

Jump to solution

FILE, not DESTINATION FILE.

0 Kudos
cakeboss
Level 7

Re: HIPS 8.0 rule for preventing creation of specific file names

Jump to solution

Awesome.  Thank you.

0 Kudos