cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
wyrm
Level 9
Report Inappropriate Content
Message 1 of 2

HIPS Suspicious Double File Extension & .com (sig 413)

I ran into an issue with HIPS 8 triggering signature 413 (suspicious double file extension).  A .com file cannot execute from a folder name that contains a period.

Example:

Created folder "C:\ABC"

copied format.com from "c:\windows\system32" to "C:\ABC"

I can run C:\ABC\format.com without issue in that folder.

Now, if I rename "C:\ABC" to "AB.C" then try to run C:\AB.C\format.com, it triggers signature 413.

Here's the problem:  This only affects .com file extensions.  It does NOT affect .exe files.  I can copy notepad.exe into C:\AB.C and run it without issue.

I opened a case with McAfee and the level 1 tech said this is intended functionality... but I find this hard to believe.  If this affects .com files, shouldn't it affect .exe as well???  This seems to be a bug, but level 1 was unwilling to escalate.

I'd like to know if this is specific to HIPS 8, or if this also occurs with HIPS 7.

Thanks,

1 Reply
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: HIPS Suspicious Double File Extension & .com (sig 413)

The signature syntax affects this (wildcarded) path for .COM files, as you described.  Works the same in HIPS 7.0, as I tested.

If this affects .com files, shouldn't it affect .exe as well???

If you'd like to request additional signature coverage, please submit a McAfee PER.

KB60021 - Information about Product Enhancement Requests for McAfee products

https://kc.mcafee.com/corporate/index?page=content&id=KB60021

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community