I ran into an issue with HIPS 8 triggering signature 413 (suspicious double file extension). A .com file cannot execute from a folder name that contains a period.
Created folder "C:\ABC"
copied format.com from "c:\windows\system32" to "C:\ABC"
I can run C:\ABC\format.com without issue in that folder.
Now, if I rename "C:\ABC" to "AB.C" then try to run C:\AB.C\format.com, it triggers signature 413.
Here's the problem: This only affects .com file extensions. It does NOT affect .exe files. I can copy notepad.exe into C:\AB.C and run it without issue.
I opened a case with McAfee and the level 1 tech said this is intended functionality... but I find this hard to believe. If this affects .com files, shouldn't it affect .exe as well??? This seems to be a bug, but level 1 was unwilling to escalate.
I'd like to know if this is specific to HIPS 8, or if this also occurs with HIPS 7.
The signature syntax affects this (wildcarded) path for .COM files, as you described. Works the same in HIPS 7.0, as I tested.
If this affects .com files, shouldn't it affect .exe as well???
If you'd like to request additional signature coverage, please submit a McAfee PER.
KB60021 - Information about Product Enhancement Requests for McAfee products