I'm getting a large amount of HIPS event logs that begin with **\, for example,
And several others. This looks suspicious, like it would be a good way to put a trojaned file anywhere in the file system path, and with that double * in front of it, it would be able to run.
Has anyone seen this before, is it normal, and is there any threat associated with it? Should exceptions to HIPS signatures use this kind of format or is it too risky?
HIPS 8.0 uses double asterisks for wildcard syntax. See page 105 of the HIPS 8.0 Product Guide.
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide
Submit a McAfee Support Service Request if you'd like to the events reviewed further.
We're using HIPS 7, though, not 8. Does that make a difference?
And note that I haven't been making exceptions using that syntax; that's the way it's coming up in the event logs.
I would love to know the answer to this. This may be a DoD-specific issue. I have really found no possible explanation for this. These show up as the threat source process name and the threat source URL. I'm not even certain that these can be excepted.
"**/CMD.EXE" is particularly egregious. Most of our IPS rules policies have exceptions for this, yet they still violate signatures.
I'm not sure about this. Looking at my HIPS 7.0 events, I don't see any events with the process name listed as **\<filename>.exe. I see the full path or just the application name (iexplore.exe), but not anything with double asterisks.
You might want to open a Service Request with McAfee Support to discuss this further.