cancel
Showing results for 
Search instead for 
Did you mean: 
Dvanmeter
Level 9

Hips Signature

Anyone else notice that the signature "Java Envelope - Creation of suspicious files in Temp folder" doesnt seem to trip when it should.  The signature "Java Envelope - Starting suspicious process from Temp folder" seems to work fine, but for every infection I have traced a vulnerable version of java writing the malware file to the temp directory it has never tripped.

0 Kudos
6 Replies
Dvanmeter
Level 9

Re: Hips Signature

I should add that it doesn't work under virusscan 8.8 Access protection rules either.  I made a rule that looks for *.exe files written under common temp locations with the source process being java.exe and nothing trips.  I have another rule that monitors the exact same thing but with any process and it will record just fine that java.exe wrote 12365gb5.exe to C:\users\username\appdata\local\temp

Message was edited by: Dvanmeter on 6/11/13 2:22:28 PM CDT
0 Kudos
greatscott
Level 12

Re: Hips Signature

its hard to say since McAfee does not publish the signature definitions. you won't be able to test accurately since you dont know what you are testing for.

0 Kudos
Dvanmeter
Level 9

Re: Hips Signature

I did find a method to get the AP rules in AV 8.8 working.  I had to put the full path of the java.exe file in order for it to trip.  so rather than java.exe, I used C:\program files\java\java.exe.  The only problem with using it in AP rules in Virusscan is if there is a legit file there is no way to exclude.  In HIPS I could make an exception, but I am having some difficulties understanding how to make this kind of rule in HIPS.  Can anyone offer me any help in HIPs in creating a custom rule that says, c:\program files\java\java.exe is not allowed to create an exe anywhere on the drive

0 Kudos
McAfee Employee

Re: Hips Signature

Try something like:

2013-06-17 11_32_17-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

Change the Operations as desired.

0 Kudos
Dvanmeter
Level 9

Re: Hips Signature

Thank you for your help Kary,  just out of curiosity would the file rule be "Destination File" or just "file".  The two confuses me on how they are to be used.

0 Kudos
McAfee Employee

Re: Hips Signature

Destination File is only used for a MOVE/RENAME or a HARDLINK operation (where there is a Source/Destination file).  See the help menu on FILES class signatures.

2013-06-17 14_05_51-McAfee Help Portal.jpg

0 Kudos