cancel
Showing results for 
Search instead for 
Did you mean: 

Hips Signature

Anyone else notice that the signature "Java Envelope - Creation of suspicious files in Temp folder" doesnt seem to trip when it should.  The signature "Java Envelope - Starting suspicious process from Temp folder" seems to work fine, but for every infection I have traced a vulnerable version of java writing the malware file to the temp directory it has never tripped.

6 Replies

Re: Hips Signature

I should add that it doesn't work under virusscan 8.8 Access protection rules either.  I made a rule that looks for *.exe files written under common temp locations with the source process being java.exe and nothing trips.  I have another rule that monitors the exact same thing but with any process and it will record just fine that java.exe wrote 12365gb5.exe to C:\users\username\appdata\local\temp

Message was edited by: Dvanmeter on 6/11/13 2:22:28 PM CDT

Re: Hips Signature

its hard to say since McAfee does not publish the signature definitions. you won't be able to test accurately since you dont know what you are testing for.

Re: Hips Signature

I did find a method to get the AP rules in AV 8.8 working.  I had to put the full path of the java.exe file in order for it to trip.  so rather than java.exe, I used C:\program files\java\java.exe.  The only problem with using it in AP rules in Virusscan is if there is a legit file there is no way to exclude.  In HIPS I could make an exception, but I am having some difficulties understanding how to make this kind of rule in HIPS.  Can anyone offer me any help in HIPs in creating a custom rule that says, c:\program files\java\java.exe is not allowed to create an exe anywhere on the drive

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Hips Signature

Try something like:

2013-06-17 11_32_17-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

Change the Operations as desired.

Re: Hips Signature

Thank you for your help Kary,  just out of curiosity would the file rule be "Destination File" or just "file".  The two confuses me on how they are to be used.

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Hips Signature

Destination File is only used for a MOVE/RENAME or a HARDLINK operation (where there is a Source/Destination file).  See the help menu on FILES class signatures.

2013-06-17 14_05_51-McAfee Help Portal.jpg

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community