cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

HOST IPS Query - Detecting HASH values & testing

Jump to solution

Hi All,

I've asked to use HIPS to try and detect a group of HASH values we have been sent.

I have been able to esit the Host IPS policy in EPO.  I've created a custom rule and a sub rule which has my HASH values added.  (i've also made sure the High's are set to prevent in the other rule).

When I enter the HASH values I was under the impression this goes in the "fingerprint" field.  This filed is 32 characters long which is standard for a MD5 Hash I think ?? however the HASH values I've been given are much longer.

Do i need to condense them somehow or just put in the first 32 characters ?

Providing I get that right do you know of a way to test the value to see if the rule actually triggers and prevents/detects it being invoked ?

Thanks all

1 Solution

Accepted Solutions
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: HOST IPS Query - Detecting HASH values & testing

Jump to solution

HIPS only works with MD5 hashes; you probably have some other hash value (Secure Hash Algorithm - Wikipedia), which is not supported.

See the KB below as a test.

KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature

https://kc.mcafee.com/corporate/index?page=content&id=KB71329

3 Replies
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: HOST IPS Query - Detecting HASH values & testing

Jump to solution

HIPS only works with MD5 hashes; you probably have some other hash value (Secure Hash Algorithm - Wikipedia), which is not supported.

See the KB below as a test.

KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature

https://kc.mcafee.com/corporate/index?page=content&id=KB71329

bookz
Level 9
Report Inappropriate Content
Message 3 of 4

Re: HOST IPS Query - Detecting HASH values & testing

Jump to solution

HIPS will only calculate hash on specific file types. (exe, dll) are ones I have seen. Having the provider of the hash values tell you the type of hashing algorithm in use is going to be necessary. To my knowledge the current gen HIPS product only supports md5.  I would anticipate you were provided SHA256 hashes which HIPS will not be able to deal with. You are not able to condense or truncate hash values to get predictable results.

The easiest way to do testing with hash values and HIPS is to use a known quantity such as notepad.exe and hash it out with something like Sigcheck from PStools (found from Microsoft Technet). There are different products in the McAfee catalog that are probably designed to be more effective when dealing with hash values. TIE probably the best bet but I haven't kept up to date with developments on that front, perhaps someone else can offer input.

Re: HOST IPS Query - Detecting HASH values & testing

Jump to solution

Thanks for your Help - Will try the testing if I get a MD5 version of the HASH

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator