Is any one having this problem with Signature 3754, 6015 since install the HIPS 8 patch2. We are having this issue on all machine that has this patch, As soon we open the Winword.exe, it crashes. We have installed the word plugins before the patch installation and it was working finie on all of the machine. Word start getting crashes after the patch being installed.
We have checked the McAfee log and see that plugin and winword.exe being blocked by sig id 3754, 6015 and 3905. When we set the exception, issue get resolved. Is anyone having the solution for this?
We are having following configuration:
Signature 6015: Suspicious Function Invocation – Target Address Mismatch
Signature 3754: Illegal Execution in Winword.exe
we saw many blocks pertaining to:
MSO.DLL as Caller Module
WINWORD.EXE as Executable
Signature 6015 Suspicious Funcation Invocation - Target Address Mismatch
Learn anything new since your post?
I suspect the issue is with 6015, it seems to fire on alot of microsoft processes: outlook.exe, communicator.exe, etc, with the advanced parameter of clr.dll and a few others that I can't recall off the top of my head.
I would not block 6015, but rather set it to informational, and log. It seems to create a bunch of noise. I think they attempted to fix it in one recent content update, but for us it continues to generate false positive data.Message was edited by: greatscott on 4/1/13 8:57:10 AM CDT
FYI, Signature 6015 is a generic signature that provides enhanced "Suspicious Function Invocation". It can generate more false positives than other signatures, but this is by design of these signatures (432, 6012, 6015, etc.). Content updates are made to them, as needed, but like other signatures and events, tuning them to your environment is still required.
KB59683 - Host Intrusion Prevention 7.0 Content Analysis: IPS Signature 432 - Suspicious Function Invocation