cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

IPS Exception basics

Jump to solution

I am having problems with the syntax aloud for the IPS exception with in the ePO.

Can anyone tell me if the exclusion wild cards for VSE will work for the attached screen shot for the file name of IPS exclusion. 

https://kc.mcafee.com/corporate/index?page=content&id=KB50998&pmv=print

Please if anyone tells me to check the HIPS guide, at least tell me what page to check. I have check the guide ALOT lately and having problems finding the syntax aloud.

All I am trying to do is allow a filename.exe to be allowed and trying to figure out if this syntax will work

**\filename.exe

it seems the IPS signature that keeps popping I can't seem to get the exception correct.

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: IPS Exception basics

Jump to solution

sstretchh wrote:

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

IPS exceptions will work without Parameter details.  Parameters details are just criteria to narrow down/tighten an IPS exception down further, but be aware of the AND/OR operations between parameter details.  The KB works for HIPS 8 as well, but the screenshots just look different.

KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

View solution in original post

6 Replies
Highlighted

Re: IPS Exception basics

Jump to solution

The exception **\filename.exe should work. If the event is still occurring, find the event in ePO, click "Actions", then click "New Exception (Host IPS 8.0)". Select the IPS Rules policy you want the exception to be put into, and click OK. This should prevent the event from occurring further. Go into that exception after it is created, and view how ePO created it. Note the processes and advanced parameters, and how they differ from the exception you created manually.

Highlighted

Re: IPS Exception basics

Jump to solution

That is what I did to create the basis for my rule. Its popping on manyachines and was going to try the ** I asked about because I was getting g stomped how to apply this to all machines. I justed removed all computers so that should apply to all.

Highlighted

Re: IPS Exception basics

Jump to solution

Yes, just remove the system name from the exception.

Highlighted

Re: IPS Exception basics

Jump to solution

did some testing over the weekend. I wanted to post encase anyone else tried this. ePO doesn't like the syntax of "**\filename.exe" in the field of Filename:

Every time i tried to add it, the ** was auto removed when i hit save. I did a "*\filename.exe" and it seem to take that and everything seem to be happy.

Highlighted

Re: IPS Exception basics

Jump to solution

HIPSException_example_edited.png

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

THe above example, the area highlighted in red is what I am talking about. Once I build the excutable defintation. I was trying to be basic and just leave allt he paramaters blank. My thought was it was just allow every instance of this excutable. Once I added some sort of generic paramater the excemtion started to work.

Later on I reliazed if I wanted to do such a generic excemption to put the program in trusted applications.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: IPS Exception basics

Jump to solution

sstretchh wrote:

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

IPS exceptions will work without Parameter details.  Parameters details are just criteria to narrow down/tighten an IPS exception down further, but be aware of the AND/OR operations between parameter details.  The KB works for HIPS 8 as well, but the screenshots just look different.

KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community