cancel
Showing results for 
Search instead for 
Did you mean: 
damageinc
Level 7

HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

I've been doing some experimenting with creating exceptions for the 6010 HIPS 8 signature.  Because we're trying to deploy this to thousands of systems, our intent is to use the Subject Distinguished Name and Target Distinguished Name to eliminate a lot of false positives in a more secure way than simply allowing by file path.  The theory is that a known good vendor's digitally signed executable (the subject) can be allowed to hook into another known good vendor's digitally signed executable (the target).

What I have found so far is that if I create an exception for the 6010 signature, with the only two parameters being that the subject executable signer and the target executable signer are given, and there's only a one to one relationship between the two, the exception works as designed.  For example, if a Microsoft signed executable is attempting to hook into a Juniper signed executable, it works, and this is allowed.  See the first two entries in the "parameters" section in the screenshot.

However, if I edit this to include anything else, such as more subject executable signers or more target executable signers, the exception doesn't work as intended.  In the screenshot below, I added McAfee, Microsoft, and Winzip signed executables to the list of possible targets, assuming that this would not just be a one to one relationship.  I figured that any Microsoft signed executable should be allowed to hook into a Juniper, McAfee, Microsoft, or Winzip signed executable.

Exceptions written in this way seem to only work with a one to one relationship, and not with a one to many relationship or a many to many relationship.

Am I just misinterpreting how exceptions should be able to be written?  Has anyone come up with a good, fairly secure method of enabling this signature without having to make a LOT of exceptions?

-DamageInc

4-11-2013 12-20-26 PM.png

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

Check your IPS signature violations against your IPS exception.  I tested this with multiple Executable and Target_Executable signer entries (with Signature 6011) and it works fine.

My test included opening any Microsoft-signed applications and Google Chrome.  The AND/OR logic applies as below (which is documented in the below KB article; logic applies the same in HIPS 8.0).

KB70652- Host Intrusion Prevention 7.0 IPS exception criteria

Executable:

1. Google signer  OR

2. Microsoft signer

AND

Target_Executable:

1. Google signer  OR

2. 2nd Google signer  OR

3. Microsoft signer

With this, I was able to have cmd.exe and explorer.exe (Executables) open notepad.exe, regedit.exe, and chrome.exe (Target_Executables).  Chrome had to be setup as an Executableand Target_Executable, since Chrome.exe was opening Chrome.exe.

exceptions.jpg

Message was edited by: ktankink - Spelling corrections on 4/12/13 11:28:08 AM CDT
9 Replies
alexn
Level 14

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

I dont know exactely, may LEARN MODE would work here or not .

0 Kudos
damageinc
Level 7

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

Learn mode would not be of any use here.  If I make an automatic exception through ePO (similar to if I had clicked "allow" in learn mode), you would get a very detailed exception, with both the subject and target executables fully populated, including their digital signer.  However, this constitutes a one-to-one relationship, and like I mentioned, this works.  It is when you add additional digital signers to the exception that it stops working properly.

0 Kudos
McAfee Employee

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

Check your IPS signature violations against your IPS exception.  I tested this with multiple Executable and Target_Executable signer entries (with Signature 6011) and it works fine.

My test included opening any Microsoft-signed applications and Google Chrome.  The AND/OR logic applies as below (which is documented in the below KB article; logic applies the same in HIPS 8.0).

KB70652- Host Intrusion Prevention 7.0 IPS exception criteria

Executable:

1. Google signer  OR

2. Microsoft signer

AND

Target_Executable:

1. Google signer  OR

2. 2nd Google signer  OR

3. Microsoft signer

With this, I was able to have cmd.exe and explorer.exe (Executables) open notepad.exe, regedit.exe, and chrome.exe (Target_Executables).  Chrome had to be setup as an Executableand Target_Executable, since Chrome.exe was opening Chrome.exe.

exceptions.jpg

Message was edited by: ktankink - Spelling corrections on 4/12/13 11:28:08 AM CDT
damageinc
Level 7

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

Kary,

Thanks for the response.  That is how I assumed it should have worked.  I can try it again with the things that are firing the most.  However, the signature I was talking about was the hooking (6010) signature, not the creation (6011) signature.  Does that make any difference?

DamageInc

0 Kudos
McAfee Employee

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

damageinc wrote:

However, the signature I was talking about was the hooking (6010) signature, not the creation (6011) signature.  Does that make any difference?

It doesn't make a difference.  IPS exception logic is applied the same to all signatures.  Sig 6011 is just much easier to troubleshoot with, like Sig 413.

Message was edited by: ktankink on 4/12/13 12:59:04 PM CDT
alexn
Level 14

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

Just to make this thread more useful

exe   run by  exe    =new target execuitable module

exe  hooked by exe = new handler module

exe loaded byu exe = new caller module  (BOF)

Regds

0 Kudos
damageinc
Level 7

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

Kary,

Thank you very much.  It turns out that this does work!  This makes things a lot simpler to manage.  I appreciate the assistance.

-DamageInc

0 Kudos
epository
Level 10

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

I found that the Digital Signature exceptions created by HIPS 8.0 actually modified the Digital Signature so that it doesnt work.

It changes the field for state in the Digital Signature...i.e. instead of "S=California" in the exception, it writes in "ST=California" and the exception won't work.

I used the clientcontrol.exe /log 0 4 option to pull out those entries, and days of configuring and hours of log reading to find this out.

Is this anomaly documented anywhere, after all, my company got to spend thousands of dollars paying me to find a bug with their product.

0 Kudos
McAfee Employee

Re: HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

Jump to solution

epository wrote:

I found that the Digital Signature exceptions created by HIPS 8.0 actually modified the Digital Signature so that it doesnt work.

It changes the field for state in the Digital Signature...i.e. instead of "S=California" in the exception, it writes in "ST=California" and the exception won't work.

KB72290 - Host Intrusion Prevention 8.0 Extension normalizes digital signer data ("S=" is normalized to "ST=")

https://kc.mcafee.com/corporate/index?page=content&id=KB72290

0 Kudos