I am using EPO 4.0.0 (build 1113) HIP 7.0.0 HIP prevention content 22.214.171.1246
My questions mostly surround HIP and the creation of exceptions.
The IPS policy section is currently set to Adaptive mode. When I open Windows Media Player I get an IPS alert. The option for "create exception" is grayed out, which I would expect because that is not a settable option for IPS policy, but the exception rule does not automatically get added to the exception list. Every time I launch the application I get the same messages. To add the exception I have to manually add it in the HIPS client. According to the verbiage under the IPS options in EPO it says "rules are learned automatically" for adaptive mode. Also in the help section it says "Select to allow clients to create exception rules automatically to allow blocked behavior." I find nothing about manually searching for an executable and naming a rule for it automatic. We are trying to use this in adaptive mode so we can create a good base of exception rules. If there is not a way to at least have the client automatically or with the click of one button create the exception rule, and then review and import into the policy, this will be an overwhelming task. I would have expected at least a list of standard windows applications to be pre populated. Am I missing something?
The other thing I am concerned with is when you do define an exception I do not see a hash associated with the executable. If we create an exception and the file were to ever get replaced, whatever exception (Which by default when created in the client includes all signatures) would not be detected because there is no file hash. Is this correct, or am I covered in some other way?
Tom, Your post is a month old now so you may have solved this already. If you haven't, have you checked the "Allow Client Rules" options for the particular signature you're having trouble with? Those settings are used to prevent exceptions from being created, even in Adaptive Mode.