cancel
Showing results for 
Search instead for 
Did you mean: 
kobielusz
Level 7

HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

I recently decided to tackle the mess that encompasses our ePO platform. The previous admin would create everything on the fly and did nothing to try and streamline or organize the system...especially when it came to creating Exceptions.

Our site was recently migrated from HIPS 7 to HIPS 8 by our corporate office however the mess of course just followed and with about 2 years remaining here as the primary admin, I would like to clean things up for not only my own sake most importantly for the sanity of the next admin to follow.

Soapbox aside, my specific question for the forum relates to the 21 pages of exceptions currently in place on the server as well over half of them appear to be duplicates of the same Signature ID and Executable with the differences being in the Parameters.

Is it possible (or recommended) to consolidate 3 individual exception rules for the same Signature ID and Executable into one rule similar to below and eliminate some of the clutter:

Example: Signature ID 913 Event Log Registry Permissions Modified   Executable C:\WINDOWS\SYSTEM32\SERVICES.EXE

Rule 1

Parameters

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\ACEEVENTLOG

User Name  NT AUTHORITY\SYSTEM

Rule 2

Parameters

Registry Key \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME 2.0 ERROR REPORTING

User Name  NT AUTHORITY\SYSTEM

Rule 3

Parameters

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME

User Name  NT AUTHORITY\SYSTEM

New Rule

Parameters

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\ACEEVENTLOG

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME 2.0 ERROR REPORTING

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME

User Name  NT AUTHORITY\SYSTEM

or

Parameters

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\*

User Name  NT AUTHORITY\SYSTEM

This was an example of a smaller one, but have one related to Backup Exec services, that due to variances in the executable name and path, encompasses almost 2 pages of exceptions alone all ultimately triggering the same signature ID.

If I'm just overthinking things and this is just the way it is, I'm ok with that too and will just try and organize them at least into a common naming structure for each exception, but I also figure eliminating the clutter may also reduce any unnecessary overhead on the system as well.

1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

You can consolidate IPS exceptions, but be aware of how exception parameters are AND/OR'd together.  The KB below applies to HIPS 8.0 as well, although the menus look different.  ALL parameters must be listed in a single violation in order for the IPS exception to work.  Trying to use an exception with conflicting information (like, Registry Key and Registry Value) will most likely not work (since the violation will probably not contain both parameters in a single violation; most likely it will be 2 separate violations).  If you review the signature violation events, you can see exactly which parameters are listed.

KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

Different parameters types will be AND'd together (e.g., Signature ID AND REGISTRY KEY AND USERNAME).

Same parameters types will be OR'd together (e.g., REGISTRY KEY OR REGISTRY KEY).

Example:

Signature ID OR Signature ID

AND

Registry Key OR Registry Key OR Registry Key

AND

User Name OR User Name

8 Replies
minds
Level 7

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

I have moved to ePO 5 and HIPS 8 and now I'm having problems with registry keys. They seems to work if used one key per exception. But if I add several to single exception this doesn't works anymore. I don't have problems consolidating files to single exception hovewer.

Had no such problem with ePO 4.5 and HIPS 7

0 Kudos
kobielusz
Level 7

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

@minds

Thank you for providing your own input with regard to the registry keys in particular as that seems to be what I am seeing more of lately as a result of the migration. All of our test workstations have required additional tuning for the registry exceptions when the policies were converted from HIP7 to HIPS8 so I'm about to roll up the sleeves on those and start taking a closer look.

For the record, we are still running ePO 4.5 at the moment so maybe not a difference between the ePO version itself.

Message was edited by: kobielusz on 6/11/13 7:41:19 PM CDT
0 Kudos
McAfee Employee

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

You can consolidate IPS exceptions, but be aware of how exception parameters are AND/OR'd together.  The KB below applies to HIPS 8.0 as well, although the menus look different.  ALL parameters must be listed in a single violation in order for the IPS exception to work.  Trying to use an exception with conflicting information (like, Registry Key and Registry Value) will most likely not work (since the violation will probably not contain both parameters in a single violation; most likely it will be 2 separate violations).  If you review the signature violation events, you can see exactly which parameters are listed.

KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

Different parameters types will be AND'd together (e.g., Signature ID AND REGISTRY KEY AND USERNAME).

Same parameters types will be OR'd together (e.g., REGISTRY KEY OR REGISTRY KEY).

Example:

Signature ID OR Signature ID

AND

Registry Key OR Registry Key OR Registry Key

AND

User Name OR User Name

kobielusz
Level 7

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

@Kary

This is exactly what I was looking for to definitively try and sort this mess out and I guess that my assumptions were tracking along those lines, but it is good to see it in black and white rather than simply guessing how they are processing.

Given the brevity of that technical paper, I think this would make a worthy addition to the product guide and help eliminate any confusion down the road as to how these rules function.

I swear that that I had searched about every keyword except "criteria" but that seems to have been the magic word.

Thank you again for the assistance and have a great week!

thurmanw1
Level 7

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

I agree with kobielusz.  I stepped into a similar situation, similar mess and all.  I definitely appreciate the answers and references by Kary.  I just spent the day cleaning up several Exceptions.  I was about 98% sure that the Parameters that I created were right, but it was great to see it in black & white.

0 Kudos
minds
Level 7

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

Hello

I have read that KB article before and that has worked with HIPS 7.0 and still works with HIPS 8.0 for file parameters, but I can't get that working with Registry Key parameters. My exception configuration:

HIPSException.png

These starts working only if I create separate exceptions for each Registry key.

I just wondering: maybe I can't use \REGISTRY\MACHINE and \REGISTRY\USER\ keys for the same exception. But that KB states that OR is used for the same parameter type and nothing about values.

0 Kudos
McAfee Employee

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution
I just wondering: maybe I can't use \REGISTRY\MACHINE and \REGISTRY\USER\ keys for the same exception. But that KB states that OR is used for the same parameter type and nothing about values.

You can use multiple REGISTRY KEY parameters that are different registry locations.  I've tested this before and just now, and it still works fine.  I used 2 registry hives and a TEST key. 

I created the regkeys TEST and TEST2:

\REGISTRY\CURRENT_USER\SOFTWARE\TEST\TEST2

\REGISTRY\MACHINE\SOFTWARE\TEST\TEST2

My signature blocks any new regkeys under:

\REGISTRY\CURRENT_USER\SOFTWARE\TEST\**

\REGISTRY\MACHINE\SOFTWARE\TEST\**

With this IPS exception, I was able to:

1. Not create any new keys under:

     \REGISTRY\CURRENT_USER\SOFTWARE\TEST\

     \REGISTRY\MACHINE\SOFTWARE\TEST\

2. Could create new keys under:

     \REGISTRY\CURRENT_USER\SOFTWARE\TEST\TEST2

     \REGISTRY\MACHINE\SOFTWARE\TEST\TEST2

2013-06-12 12_15_20-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

0 Kudos
greatscott
Level 12

Re: HIPS 8 - IPS Exception Rule Cleanup

Jump to solution

It makes life simpler to break your exceptions out by process name, and put the threat name in the "notes" section of the exception. in this area, you may have several threat names. for example:

c:\windows\system32\cmd.exe

1281, 344, 6015, 990, 1148

This of course does not take into account usernames other file parameters, etc. Like Kary said, I would be very careful with how these are currently intertwined. It works now, but you could easily break something making the changes. Just keep good notes and make the changes slowly and methodically. Have good dashboards setup before you start making your changes.

0 Kudos