cancel
Showing results for 
Search instead for 
Did you mean: 
wyrm
Level 9

HIPS Suspicious Double File Extension & .com (sig 413)

I ran into an issue with HIPS 8 triggering signature 413 (suspicious double file extension).  A .com file cannot execute from a folder name that contains a period.

Example:

Created folder "C:\ABC"

copied format.com from "c:\windows\system32" to "C:\ABC"

I can run C:\ABC\format.com without issue in that folder.

Now, if I rename "C:\ABC" to "AB.C" then try to run C:\AB.C\format.com, it triggers signature 413.

Here's the problem:  This only affects .com file extensions.  It does NOT affect .exe files.  I can copy notepad.exe into C:\AB.C and run it without issue.

I opened a case with McAfee and the level 1 tech said this is intended functionality... but I find this hard to believe.  If this affects .com files, shouldn't it affect .exe as well???  This seems to be a bug, but level 1 was unwilling to escalate.

I'd like to know if this is specific to HIPS 8, or if this also occurs with HIPS 7.

Thanks,

0 Kudos
1 Reply
McAfee Employee

Re: HIPS Suspicious Double File Extension & .com (sig 413)

The signature syntax affects this (wildcarded) path for .COM files, as you described.  Works the same in HIPS 7.0, as I tested.

If this affects .com files, shouldn't it affect .exe as well???

If you'd like to request additional signature coverage, please submit a McAfee PER.

KB60021 - Information about Product Enhancement Requests for McAfee products

https://kc.mcafee.com/corporate/index?page=content&id=KB60021

0 Kudos