cancel
Showing results for 
Search instead for 
Did you mean: 
hbss_admin
Level 9

Many threat source processes begin with **\

I'm getting a large amount of HIPS event logs that begin with **\, for example,

**\CMD.EXE

**\CSCRIPT.EXE

**\WMIC.EXE

**\WMIPRVSE.EXE

**\FSPROCSVC.EXE

**\USERINIT.EXE

**\FS_DEVICECONTRO*

**\MCSCRIPT_INUSE.*

And several others. This looks suspicious, like it would be a good way to put a trojaned file anywhere in the file system path, and with that double * in front of it, it would be able to run.

Has anyone seen this before, is it normal, and is there any threat associated with it? Should exceptions to HIPS signatures use this kind of format or is it too risky?

PG

0 Kudos
4 Replies
McAfee Employee

Re: Many threat source processes begin with **\

HIPS 8.0 uses double asterisks for wildcard syntax.  See page 105 of the HIPS 8.0 Product Guide.

PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

Submit a McAfee Support Service Request if you'd like to the events reviewed further.

0 Kudos
hbss_admin
Level 9

Re: Many threat source processes begin with **\

We're using HIPS 7, though, not 8. Does that make a difference?

And note that I haven't been making exceptions using that syntax; that's the way it's coming up in the event logs.

0 Kudos
damageinc
Level 7

Re: Many threat source processes begin with **\

I would love to know the answer to this.  This may be a DoD-specific issue.  I have really found no possible explanation for this.  These show up as the threat source process name and the threat source URL.  I'm not even certain that these can be excepted. 

"**/CMD.EXE" is particularly egregious.  Most of our IPS rules policies have exceptions for this, yet they still violate signatures.

0 Kudos
McAfee Employee

Re: Many threat source processes begin with **\

I'm not sure about this.  Looking at my HIPS 7.0 events, I don't see any events with the process name listed as **\<filename>.exe.  I see the full path or just the application name (iexplore.exe), but not anything with double asterisks.

You might want to open a Service Request with McAfee Support to discuss this further.

0 Kudos