cancel
Showing results for 
Search instead for 
Did you mean: 

HIPS 8 Patch 2: sig id 3754, 6015 and 3905 blocking the Word Plugin and Winword.exe

Is any one having this problem with Signature 3754, 6015 since install the HIPS 8 patch2. We are having this issue on all machine that has this patch, As soon we open the Winword.exe, it crashes. We have installed the word plugins before the patch installation and it was working finie on all of the machine. Word start getting crashes after the patch being installed.

We have checked the McAfee log and see that plugin and winword.exe being blocked by sig id 3754, 6015 and 3905. When we set the exception, issue get resolved. Is anyone having the solution for this?

We are having following configuration:

Windows 7

Word 2007

Signature 6015: Suspicious Function Invocation – Target Address Mismatch

Signature 3754: Illegal Execution in Winword.exe

Plug in and Winword.exe was being blocked by sig id 3754, 6015 and 3905

Message was edited by: ictect_manish on 2/13/13 3:46:37 AM CST
0 Kudos
3 Replies
lrock
Level 9

Re: HIPS 8 Patch 2: sig id 3754, 6015 and 3905 blocking the Word Plugin and Winword.exe

we saw many blocks pertaining to:

MSO.DLL as Caller Module

WINWORD.EXE as Executable

Signature 6015 Suspicious Funcation Invocation - Target Address Mismatch

Learn anything new since your post?

0 Kudos
greatscott
Level 12

Re: HIPS 8 Patch 2: sig id 3754, 6015 and 3905 blocking the Word Plugin and Winword.exe

I suspect the issue is with 6015, it seems to fire on alot of microsoft processes: outlook.exe, communicator.exe, etc, with the advanced parameter of clr.dll and a few others that I can't recall off the top of my head.

I would not block 6015, but rather set it to informational, and log. It seems to create a bunch of noise. I think they attempted to fix it in one recent content update, but for us it continues to generate false positive data.

Message was edited by: greatscott on 4/1/13 8:57:10 AM CDT
McAfee Employee

Re: HIPS 8 Patch 2: sig id 3754, 6015 and 3905 blocking the Word Plugin and Winword.exe

FYI, Signature 6015 is a generic signature that provides enhanced "Suspicious Function Invocation".  It can generate more false positives than other signatures, but this is by design of these signatures (432, 6012, 6015, etc.).  Content updates are made to them, as needed, but like other signatures and events, tuning them to your environment is still required.

Please see:

KB59683 - Host Intrusion Prevention 7.0 Content Analysis: IPS Signature 432 - Suspicious Function Invocation

0 Kudos