I ran into an issue with HIPS 8 triggering signature 413 (suspicious double file extension). A .com file cannot execute from a folder name that contains a period.
Created folder "C:\ABC"
copied format.com from "c:\windows\system32" to "C:\ABC"
I can run C:\ABC\format.comwithout issue in that folder.
Now, if I rename "C:\ABC" to "AB.C" then try to run C:\AB.C\format.com, it triggers signature 413.
Here's the problem: This only affects .com file extensions. It does NOT affect .exe files. I can copy notepad.exe into C:\AB.C and run it without issue.
I opened a case with McAfee and the level 1 tech said this is intended functionality... but I find this hard to believe. If this affects .com files, shouldn't it affect .exe as well??? This seems to be a bug, but level 1 was unwilling to escalate.
I'd like to know if this is specific to HIPS 8, or if this also occurs with HIPS 7.