Creating trusted applications are a way of reducing false positives or even alerts altogether for both the IPS and the Firewall element of HIPS, but how 'trusted' are 'Trusted Applications'
In the trusted application settings there is IPS - Firewall - Hooking . All modules can be either enabled or disabled.
I note in the documentation is says NOTE: A trusted application is susceptible to common vulnerabilities such as buffer overflow and illegal use. Therefore, a trusted application is still monitored and can trigger events to prevent exploits.
That makes sense but if that is the case what exploits or alerts will it supress and what alerts would it still show? IDS signatures with a rating of 'high/critical'? It doesnt really say this nor go into any more detail.
For example if someone added iexplore.exe as a trusted application, and disabled both the IDS and the Firewall modules via the trusted application settings for this app, does this mean that explots that leverage iexplore.exe (for which there are many) would run rife because of it is considered trusted and alerts are supressed?
HIP has 3 main security modules; HostIPS/NetworkIPS, Application Blocking, and Firewall.
When a new Trusted Application is created, HIP Client creates an Application Blocking rule to allow “creation” (launching) of the process(es) associated with the Trusted Application. This is only relevant if Application Blocking is enabled.
If it's marked Trusted for Firewall, HIP Client creates a firewall rule at the top of the Firewall Rules policy that allows all outgoing IP Protocols for the process(es) associated with the Trusted Application. This is only relevant if Firewall is enabled.
If it's marked Trusted for Application Hooking, HIP Client modifies the existing Application Blocking rule (from step 1 above) so that it is also allowed to “hook” (call the API SetWindowsHookEx or create a thread in another process). This is only relevant if Application Hooking is enabled.
If it's marked Trusted for IPS, HIP Client will ignore Host IPS signatures when the associated process(es) are from the Trusted Application. This will only be relevant if Host IPS is enabled. Note: the following signatures will be triggered regardless of whether an application is Trusted for IPS or not: 428, 432, 801, 992, 1000, 1001, 1002, 1020, 1134, 1137.
In all cases, the application matching is path-based (not hash or “fingerprint”). Although signature 428 is not affected by Trusted Applications, it will only trigger if the associated process is in the Application Protection List.
You can see the added Application Blocking / Hooking rules and the Firewall rules in the Client GUI.
Thats for the detailed reply. That is interesting. I will have a look at those rule IDs later on. Is there a KB article that references these ID's. I ask as i imagine these will change to include more in the future also