cancel
Showing results for 
Search instead for 
Did you mean: 
FLJKBH
Level 7

How to create Custom Signature using Fingerprint

Howdy all

I'd like to create a custom signature to prevent create, execute, read, rename, and write a list of MD5 hashes. I haven't been able to find documentation on this process. My thought process is:

1. Create Stand IPS Subrule

2. Rule Type = File

3. Create "executables" for each MD5 / fingerprint

What should be included in the parameter section? I want the entire system to be protected from these MD5 hashes.

Is my thought process correct? Any and all feedback is appreciatred!

Thank you

image001.png

Message was edited by: FLJKBH on 2/25/14 4:03:07 PM CST
0 Kudos
4 Replies
McAfee Employee

Re: How to create Custom Signature using Fingerprint

KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature

https://kc.mcafee.com/corporate/index?page=content&id=KB71329

0 Kudos
shakira
Level 10

Re: How to create Custom Signature using Fingerprint

You can't do this in HIPS if I'm understanding you correctly. You can only log/block MD5's if they are a "Program" (.exe, .dll, application, or "executable" as you've seen). That means you cannot just block a txt file with a hash of nfwd8932hf3212e.

What you CAN do is block a .exe or .dll with a certian md5sum from being opened or ran, or opening or running anything. You can also prevent that md5sum/.exe/.dll from doing file operations to specific file names or any files which is what you were actually doing above.

Yeah, I was dissapointed as well. Still haven't found a good solution for this seemingly basic operation. There is something called McAfee GTI proxy that can take in hashes and work off of the AV on access scan I think, but it only blocks them, and subsequently deletes the files. Not a usable solution for forensics or incident response etc.

Message was edited by: shakira on 2/26/14 10:12:33 AM CST
0 Kudos
McAfee Employee

Re: How to create Custom Signature using Fingerprint

Correct.  If you're trying to block non-exectuable files, this is not possible in Host IPS.  The FILES engine only uses PATH/FILENAME for non-exectuable files.

0 Kudos
pboetzel
Level 7

Re: How to create Custom Signature using Fingerprint

For me it only worked when a subrule was created for Program and target executable.

0 Kudos