cancel
Showing results for 
Search instead for 
Did you mean: 
ninjaneer68
Level 10

IPS Exception basics

Jump to solution

I am having problems with the syntax aloud for the IPS exception with in the ePO.

Can anyone tell me if the exclusion wild cards for VSE will work for the attached screen shot for the file name of IPS exclusion. 

https://kc.mcafee.com/corporate/index?page=content&id=KB50998&pmv=print

Please if anyone tells me to check the HIPS guide, at least tell me what page to check. I have check the guide ALOT lately and having problems finding the syntax aloud.

All I am trying to do is allow a filename.exe to be allowed and trying to figure out if this syntax will work

**\filename.exe

it seems the IPS signature that keeps popping I can't seem to get the exception correct.

1 Solution

Accepted Solutions
McAfee Employee

Re: IPS Exception basics

Jump to solution

sstretchh wrote:

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

IPS exceptions will work without Parameter details.  Parameters details are just criteria to narrow down/tighten an IPS exception down further, but be aware of the AND/OR operations between parameter details.  The KB works for HIPS 8 as well, but the screenshots just look different.

KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

6 Replies
greatscott
Level 12

Re: IPS Exception basics

Jump to solution

The exception **\filename.exe should work. If the event is still occurring, find the event in ePO, click "Actions", then click "New Exception (Host IPS 8.0)". Select the IPS Rules policy you want the exception to be put into, and click OK. This should prevent the event from occurring further. Go into that exception after it is created, and view how ePO created it. Note the processes and advanced parameters, and how they differ from the exception you created manually.

ninjaneer68
Level 10

Re: IPS Exception basics

Jump to solution

That is what I did to create the basis for my rule. Its popping on manyachines and was going to try the ** I asked about because I was getting g stomped how to apply this to all machines. I justed removed all computers so that should apply to all.

0 Kudos
greatscott
Level 12

Re: IPS Exception basics

Jump to solution

Yes, just remove the system name from the exception.

0 Kudos
ninjaneer68
Level 10

Re: IPS Exception basics

Jump to solution

did some testing over the weekend. I wanted to post encase anyone else tried this. ePO doesn't like the syntax of "**\filename.exe" in the field of Filename:

Every time i tried to add it, the ** was auto removed when i hit save. I did a "*\filename.exe" and it seem to take that and everything seem to be happy.

0 Kudos
ninjaneer68
Level 10

Re: IPS Exception basics

Jump to solution

HIPSException_example_edited.png

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

THe above example, the area highlighted in red is what I am talking about. Once I build the excutable defintation. I was trying to be basic and just leave allt he paramaters blank. My thought was it was just allow every instance of this excutable. Once I added some sort of generic paramater the excemtion started to work.

Later on I reliazed if I wanted to do such a generic excemption to put the program in trusted applications.

0 Kudos
McAfee Employee

Re: IPS Exception basics

Jump to solution

sstretchh wrote:

I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

IPS exceptions will work without Parameter details.  Parameters details are just criteria to narrow down/tighten an IPS exception down further, but be aware of the AND/OR operations between parameter details.  The KB works for HIPS 8 as well, but the screenshots just look different.

KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria