cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
oceandographer
Level 8
Report Inappropriate Content
Message 1 of 4
‎06-12-2018 09:36 AM

Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

First post, nice to meet you all

 

Thank you in advance for any help.

I work in an environment where we have multiple HIPS policies applied in a stack. Some of them are a matter of compliance and cannot be deleted or else we fall out of compliance and have commited a security violation. My question is, given the information below, scenario based-

Policy 1

Policy 2 *has a signature that blocks a particular file or executable

Policy 3

Policy 4

Policy 5

Given the stack of policies above, can the exception be provided in Policy 5 even though the block is coming from a signature in Policy 2? Does the list/stack of policies rely on sequence? Or does the ePO server ultimately look at the list of policies singularly?

One of the reasons I ask is- when we discover a block, due to developers testing their software, we create an exception in HIPS (provided it's a HIPS block), however I do not see anything from the ePO or in the HipShield.log specifying which policy the block is occuring from.

 

0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4
‎09-20-2019 12:18 PM

Re: Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

IPS exceptions for any of the default signatures can be put in any policy, since all default signatures will exist in all policies, however for any custom signatures, the IPS exception must be put in the policy that contains that signature. Custom Signature IDs are unique per policy (actually per ePO Server) for the HIPS 8.0 product; for example, Signature 4001 can only exist in one single policy; you cannot have multiple copies of Sig 4001.

If you try to put an IPS exception for a custom signature in a policy that does not contain that custom signature, you'll get an error when trying to create an IPS exception for an event.  Error: "Create exception failed.  Signature xxxx does not exist in target policy".  This applies to any Signature 4001-5999 (which is the custom signature range in HIPS 8.0).

View solution in original post

Reply
3 Replies
Highlighted
Thussain
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎09-20-2019 11:57 AM

Re: Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

Thank you for posting your query "Multiple HIPS Policies applied (stack), which policy to apply exception?"

Is it possible for you to share a Screen shot of the policies or export the xml file and share it with us, this will give us a better understanding of your question

Also let me know, how many groups do you have in system tree, and does each group have a different policy?

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
0 Kudos
Reply
Highlighted
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4
‎09-20-2019 12:18 PM

Re: Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

IPS exceptions for any of the default signatures can be put in any policy, since all default signatures will exist in all policies, however for any custom signatures, the IPS exception must be put in the policy that contains that signature. Custom Signature IDs are unique per policy (actually per ePO Server) for the HIPS 8.0 product; for example, Signature 4001 can only exist in one single policy; you cannot have multiple copies of Sig 4001.

If you try to put an IPS exception for a custom signature in a policy that does not contain that custom signature, you'll get an error when trying to create an IPS exception for an event.  Error: "Create exception failed.  Signature xxxx does not exist in target policy".  This applies to any Signature 4001-5999 (which is the custom signature range in HIPS 8.0).

View solution in original post

Reply
Highlighted
oceandographer
Level 8
Report Inappropriate Content
Message 4 of 4
‎09-21-2019 10:35 AM

Re: Multiple HIPS Policies applied (stack), which policy to apply exception?

Jump to solution

Thank you, this is very accurate. Originally, I'd posted this as I was not aware that it doesn't matter what policy you put the exception in, as long as it's a policy that the target systems will be exposed to.

 

I work in a team of Cyber Security HBSS SMEs, however, at the time I couldn't get an acceptable answer from anyone on this. That's changed now though, as our comprehension of this has improved.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC