cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Help with HASH based expert rule

Hello HIPS experts -

I'm fairly new to McAfee and can't figure out what I'm doing wrong.  I'm trying to write a simple blocking rule to prevent program from being executed using the program's md5 hash.  Below is an example of my rule, after I apply the policy I'm still able to execute the program - not sure why or what I'm missing.  Any pointers/help would be greatly appreciated

Rule {

tag "Hash blocking test"

Class Program

Id 1111

level 4

Target_Executable { Include { -hash "a262273e7809297f15b3c113d881f7b1" -desc "notepad plus exclusion test" }

}

directives program:run

}

4 Replies
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Help with HASH based expert rule

KB71735 - Host Intrusion Prevention 8.0 - Executable File Description field

https://kc.mcafee.com/corporate/index?page=content&id=KB71735

Re: Help with HASH based expert rule

Thanks, but I'm not following. What does file description have to do with creating an expert rule using the MD5 hash?

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Help with HASH based expert rule

The rule you have is not just looking for a hash.  It's look for an executable that has that specific MD5 hash AND that File Description "notepad plus exclusion test" (as per the KB, it is not a COMMENT field).  Remove the File Description detail, or correct it to the accurate value.

McAfee Employee NMaurMcAfee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Help with HASH based expert rule

Since you're rather new and this is such a basic rule why don't you just use the standard rule builder?