I am currently running HIPS 8 patch 2 (version 22.214.171.1242) with content signature 126.96.36.19997
I have been having issues attempted to tune out some of the noise in relation to our Adobe products and a few other applications for the 3905 signature (Prevents all programs from running files from the Temp folder).
It doesn't seem to matter what combination I attempt to create an exception for, the signature still continues to trigger.
File description: ADOBE READER
File name: C:\PROGRAM FILES\ADOBE\READER 11.0\READER\ACRORD32.EXE
Specify a signer: CN="ADOBE SYSTEMS, INCORPORATED", OU=ACROBAT XI, O="ADOBE SYSTEMS, INCORPORATED", L=SAN JOSE, ST=CALIFORNIA, C=US, OID.188.8.131.52=2748129, OID.184.108.40.206=PRIVATE ORGANIZATION, OID.220.127.116.11.4.1.318.104.22.168.2=DELAWARE, OID.22.214.171.124.4.1.3126.96.36.199.3=US
Type - Value
Files - C:\Users\*\AppData\Local\Temp\*\acrord32_sbx\Z@*.tmp
User Name - Domain\*
drive type - HardDrive
I have focused on the Files parameter mostly and tried every iteration of that I can think of to include replacing the * with ** and even at one point completely had ** only in the field which would seem to defeat the purpose of using this signature.
I tried removing the signer and setting to none and completely removing any parameters except HardDrive as well but it will continue to fire. Already confirmed there are no empty spaces at the end of Executable lines but nothing.
If anyone has any further suggestions or experience with this particular signature, I would really appreciate some advice.
Thank you for the reply and it would be nice if I could continue to allow our valid applications to function in a normal manner without triggering on every unique function the user performs, but this signature and its PICs' 2297 3893 don't seem to agree with my logic on this. I do understand the signature is likely operating as designed, but it has been rougher than normal trying to get this particular set to play ball using the wildcards that have worked with the majority of my exceptions rules thus far.
I had thought about adding it to a whitelist but am awaiting confirmation from higher authority on whether or not I can add is and a few other 3rd party products.
Any assistance or advice you can provide is sincerely appreciated.
Ok, so need to do 2 changes in McAfee,
First add ACRORD32.EXE in process to exclude on Access Protection rule : Prevents all programs from running files from the Temp folder.
also add ACRORD32.EXE into Host Intrusion Prevention 8.0:General > Trusted Applications (Windows, Linux, Solaris) policy.
Making ACRORD32.EXE a trusted application sounds like a bad idea to me. While I do not doubt that it may ultimately be effective its a huge hole compared to tuning the event out of a single HIPS signature.
When it comes to the HIPS exclusion:
Id suggest opening up your Z@ exclusion to **\Z@*.tmp under files
Maybe limit your executable to not include file description and possibly not even signer.
Additionally under the value portion
drive type - hard drive probably nets you next to nothing except making the analyzer work harder.
Are you sure that limiting this by username is gaining you anything as well?
In the event you showed there if that was your exclusion, you have a large amount of "and" operations that might make processing of the exclusion difficult. If you open it up a bit it may be much more efficient. You will see other processes calling the Z@ files as well in some of the other signatures you mentioned.
To tune this exact string out: C:\Users\*\AppData\Local\Temp\*\acrord32_sbx\Z@*.tmp
You can do:
files exclude - **\acrod32_sbx\Z@*.tmp
files exclude - **\acrod32_sbx\Z@?.tmp
This doesn't seem to be your issue though. I take it you are setting this file exclusion in an Exception Rule for 3905. If so, ensure that you are not mixing "Executables" with "Parameters - Files". These two categories "AND" together instead of "OR" which may be breaking what you think your exception rule is doing.
If the only line in your exception rule for signature is 3905 is what I suggested above, I'm not sure what's going wrong. If not, try starting there. No signer, no executable... nothing but one Files line.
I would also ignore trusted application settings in this case as it's unnecessary and leaves a large hole as stated above.
I can't get this to work either. Is it possible to exclude an entire folder from a signature?
I'm testing on the Adobe folder for signature 3905. I've gone bare-bones with my test case: no parameters defined aside from Executable, and within the Executable, only File Name defined. I've tried every iteration of wildcards. Right now, I have C:\**\ADOBE\**\*.EXE .
3905 is still being triggered by executables in Adobe folders though. What am I missing?