cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

First post, nice to meet you all

 

Thank you in advance for any help.

I work in an environment where we have multiple HIPS policies applied in a stack. Some of them are a matter of compliance and cannot be deleted or else we fall out of compliance and have commited a security violation. My question is, given the information below, scenario based-

Policy 1

Policy 2 *has a signature that blocks a particular file or executable

Policy 3

Policy 4

Policy 5

Given the stack of policies above, can the exception be provided in Policy 5 even though the block is coming from a signature in Policy 2? Does the list/stack of policies rely on sequence? Or does the ePO server ultimately look at the list of policies singularly?

One of the reasons I ask is- when we discover a block, due to developers testing their software, we create an exception in HIPS (provided it's a HIPS block), however I do not see anything from the ePO or in the HipShield.log specifying which policy the block is occuring from.

 

1 Solution

Accepted Solutions
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

IPS exceptions for any of the default signatures can be put in any policy, since all default signatures will exist in all policies, however for any custom signatures, the IPS exception must be put in the policy that contains that signature. Custom Signature IDs are unique per policy (actually per ePO Server) for the HIPS 8.0 product; for example, Signature 4001 can only exist in one single policy; you cannot have multiple copies of Sig 4001.

If you try to put an IPS exception for a custom signature in a policy that does not contain that custom signature, you'll get an error when trying to create an IPS exception for an event.  Error: "Create exception failed.  Signature xxxx does not exist in target policy".  This applies to any Signature 4001-5999 (which is the custom signature range in HIPS 8.0).

3 Replies
McAfee Employee Gladiator99
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

Thank you for posting your query "Multiple HIPS Policies applied (stack), which policy to apply exception?"

Is it possible for you to share a Screen shot of the policies or export the xml file and share it with us, this will give us a better understanding of your question

Also let me know, how many groups do you have in system tree, and does each group have a different policy?

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

IPS exceptions for any of the default signatures can be put in any policy, since all default signatures will exist in all policies, however for any custom signatures, the IPS exception must be put in the policy that contains that signature. Custom Signature IDs are unique per policy (actually per ePO Server) for the HIPS 8.0 product; for example, Signature 4001 can only exist in one single policy; you cannot have multiple copies of Sig 4001.

If you try to put an IPS exception for a custom signature in a policy that does not contain that custom signature, you'll get an error when trying to create an IPS exception for an event.  Error: "Create exception failed.  Signature xxxx does not exist in target policy".  This applies to any Signature 4001-5999 (which is the custom signature range in HIPS 8.0).

Re: Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

Thank you, this is very accurate. Originally, I'd posted this as I was not aware that it doesn't matter what policy you put the exception in, as long as it's a policy that the target systems will be exposed to.

 

I work in a team of Cyber Security HBSS SMEs, however, at the time I couldn't get an acceptable answer from anyone on this. That's changed now though, as our comprehension of this has improved.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community