cancel
Showing results for 
Search instead for 
Did you mean: 
casscoss
Level 7

HIPS 8 - Signer info entered into Catalogue changes when saved

Whenadding signer information and saving it within the HIPS Catalogue, I noticedthat what is entered is not reflected after hitting saved. For example:

I enteredthe following info:

CN=MICROSOFTCORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

But when I go back to view the signer info now saved in ePO,it shows as follows:

CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, ST=WASHINGTON,C=US

It changes it from S to ST. I canb’t seem to get this to save as it hasbeen entered. Even when I make an exception, or added it as atrusted app froman IPS event it shows it as “S” however as soon as it is saved it shows it as “ST”

My concern is....Will this then not work properly when building rulesbased on signer info since it does not match??

0 Kudos
4 Replies
McAfee Employee

Re: HIPS 8 - Signer info entered into Catalogue changes when saved

I'm not entirely sure why the S= is changed to ST=, but I tested it with an IE signature-based firewall rule and it still worked fine.

0 Kudos
casscoss
Level 7

Re: HIPS 8 - Signer info entered into Catalogue changes when saved

As always...thanks for the help Kary. Very much appreciated.

I tested it as well, and saw no negative effect, however i was not 100%comfortable in with what I was seeing. I just saw it as a possible issue, wellhopefully it does not impact the effects of rules built around Signer Info

0 Kudos
basicsyntax
Level 7

Re: HIPS 8 - Signer info entered into Catalogue changes when saved

I am seeing this same problem.

Currently noted with Microsoft signature that has both variants, both S and ST. It looks fine until after I have saved and applied the policy.

I still have stragglers popping up that show a S. When I view the IPS policy, sure enough, the Signer has been changed and I now have two signatures that reflect ST.

Anyone see anything like this?

Signer:

CN=MICROSOFT WINDOWS, OU=MOPR, 0=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

Is changed to:

CN=MICROSOFT WINDOWS, OU=MOPR, 0=MICROSOFT CORPORATION, L=REDMOND, ST=WASHINGTON, C=US

Affecting conhost, services & winlogon to name a few.

The strange thing is that it seems to work at first. When tuning, I see the number of signatures firing definitely dropping.

however, I just looked and see I have over a dozen servers firing 400+ signatures in the last 24 hours alone.

What gives?

0 Kudos
McAfee Employee

Re: HIPS 8 - Signer info entered into Catalogue changes when saved

KB72290 - Host Intrusion Prevention 8.0 Extension normalizes digital signer data ("S=" is normalized to "ST=")

https://kc.mcafee.com/corporate/index?page=content&id=KB72290

0 Kudos