cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
davsanto
Level 7
Report Inappropriate Content
Message 1 of 4
‎07-27-2012 11:59 AM

HIPS 8 Generic SIgnatures

Attempting to create a whitelist rule as described in KB71794.

Enabled Host IPS Signature 6011 and created a specifc exception rule.

While SIgnature 6011 blocks many executables it does not block other executables. 

And there is no exceptions created for this executable.

My understanding is that this siganture will block all executables except the ones in the exception rules.

This is not the case.

Any insight is appreciated.

0 Kudos
Reply
3 Replies
Highlighted
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎07-27-2012 03:49 PM

Re: HIPS 8 Generic SIgnatures 

 My understanding is that this siganture will block all executables except the ones in the exception rules.


Not all executables will be blocked.  Any exectuables listed in the Trusted Applications policy will be allowed to run.    Any other exectuables that you need to allow to run, you should create an IPS exception for those exectuables and Signature 6011.   Also please note Host IPS Best Practices for policy assignments in the Product Guide.

PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

https://kc.mcafee.com/corporate/index?page=content&id=PD22894

Page 37
  
Assigning multiple instances of the policy
Assigning one or more instances of the policy to a group or system in the ePolicy Orchestrator
System Tree provides for single policy multi-purpose protection.
 
The IPS Rules policy and the Trusted Applications policy are multiple-instance policies that can
have more than one instance assigned. A multiple-instance policy can be useful for an IIS
Server, for example, where you might apply a general default policy, a server policy, and an
IIS policy, the latter two configured to specifically target systems running as IIS servers. When
assigning multiple instances, you are assigning a union of all the elements in each instance of
the policy.
 
NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when
content is update. McAfee recommends that these two policies always be applied to make sure
protection as up to date as possible.
0 Kudos
Reply
Highlighted
kenobe
Level 10
Report Inappropriate Content
Message 3 of 4
‎12-10-2012 01:34 PM

Re: HIPS 8 Generic SIgnatures

I, too, tried putting the executable to be allowed in the IPS policy exceptions for signature 6011 - made no difference as well.   HIPS 8 blocked it every time, with a 6011 signature block.

I also put the executable into the Trusted Apps policy and still got a pop-up  blocking for 6011.

HIPS 7 file blockin was SO much easier.

0 Kudos
Reply
Highlighted
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4
‎12-10-2012 01:48 PM

Re: HIPS 8 Generic SIgnatures 

 I also put the executable into the Trusted Apps policy and still got a pop-up  blocking for 6011.


Trusted Applications do not bypass Signature 6011 (as well as others).   See:

KB71704 - Host Intrusion Prevention Trusted Applications defined

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC