Showing results for 
Search instead for 
Did you mean: 

IPS Signature 6051

In VSE there is a AP Rule to prevent Hooking of McAfee Process. That rules transitions to IPS signature 6051. There is no documentation on 6051 and usage. Is there any documentation on 6051? Does 6010 and 6011 replace 6051 or should be used in place of 6051?

Should any exceptions be made for 6051. Example I have Bigfix continuously tripping 6051.

2 Replies
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: IPS Signature 6051

Sig 6051 performs the similar functionality as the VSE Access Protection rule.  There is no further documentation on it.  The description you see in the Signature details is "This signature prevents McAfee processes from being hooked."

It is separate functionality from Sig 6010/6011, which are the app white listing signatures.

Sig 6051 exceptions will allow 3rd party applications to hook McAfee processes, which might cause issues (I don't have any specific examples though; testing would need to be performed in your environment; Sig 6051 is DISABLED by default as well).  See if Bigfix has a way to prevent hooking (or some type of exclusion rules) of McAfee processes to alleviate the signature events.

Re: IPS Signature 6051

All 33 HIPs AP rules are disabled by default. If you want HIPS to do the AP vs VSE you have to enable. HIPS 6051 triggers a lot more than the same rule in VSE.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator