cancel
Showing results for 
Search instead for 
Did you mean: 

IPS Exception basics

Jump to solution

I am having problems with the syntax aloud for the IPS exception with in the ePO.

Can anyone tell me if the exclusion wild cards for VSE will work for the attached screen shot for the file name of IPS exclusion. 

https://kc.mcafee.com/corporate/index?page=content&id=KB50998&pmv=print

Please if anyone tells me to check the HIPS guide, at least tell me what page to check. I have check the guide ALOT lately and having problems finding the syntax aloud.

All I am trying to do is allow a filename.exe to be allowed and trying to figure out if this syntax will work

**\filename.exe

it seems the IPS signature that keeps popping I can't seem to get the exception correct.

1 Solution

Accepted Solutions
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: IPS Exception basics

Jump to solution

sstretchh wrote:

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

IPS exceptions will work without Parameter details.  Parameters details are just criteria to narrow down/tighten an IPS exception down further, but be aware of the AND/OR operations between parameter details.  The KB works for HIPS 8 as well, but the screenshots just look different.

KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

6 Replies
Highlighted

Re: IPS Exception basics

Jump to solution

The exception **\filename.exe should work. If the event is still occurring, find the event in ePO, click "Actions", then click "New Exception (Host IPS 8.0)". Select the IPS Rules policy you want the exception to be put into, and click OK. This should prevent the event from occurring further. Go into that exception after it is created, and view how ePO created it. Note the processes and advanced parameters, and how they differ from the exception you created manually.

Re: IPS Exception basics

Jump to solution

That is what I did to create the basis for my rule. Its popping on manyachines and was going to try the ** I asked about because I was getting g stomped how to apply this to all machines. I justed removed all computers so that should apply to all.

Re: IPS Exception basics

Jump to solution

Yes, just remove the system name from the exception.

Re: IPS Exception basics

Jump to solution

did some testing over the weekend. I wanted to post encase anyone else tried this. ePO doesn't like the syntax of "**\filename.exe" in the field of Filename:

Every time i tried to add it, the ** was auto removed when i hit save. I did a "*\filename.exe" and it seem to take that and everything seem to be happy.

Re: IPS Exception basics

Jump to solution

HIPSException_example_edited.png

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

THe above example, the area highlighted in red is what I am talking about. Once I build the excutable defintation. I was trying to be basic and just leave allt he paramaters blank. My thought was it was just allow every instance of this excutable. Once I added some sort of generic paramater the excemtion started to work.

Later on I reliazed if I wanted to do such a generic excemption to put the program in trusted applications.

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: IPS Exception basics

Jump to solution

sstretchh wrote:

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

IPS exceptions will work without Parameter details.  Parameters details are just criteria to narrow down/tighten an IPS exception down further, but be aware of the AND/OR operations between parameter details.  The KB works for HIPS 8 as well, but the screenshots just look different.

KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community