First post, nice to meet you all
Thank you in advance for any help.
I work in an environment where we have multiple HIPS policies applied in a stack. Some of them are a matter of compliance and cannot be deleted or else we fall out of compliance and have commited a security violation. My question is, given the information below, scenario based-
Policy 1
Policy 2 *has a signature that blocks a particular file or executable
Policy 3
Policy 4
Policy 5
Given the stack of policies above, can the exception be provided in Policy 5 even though the block is coming from a signature in Policy 2? Does the list/stack of policies rely on sequence? Or does the ePO server ultimately look at the list of policies singularly?
One of the reasons I ask is- when we discover a block, due to developers testing their software, we create an exception in HIPS (provided it's a HIPS block), however I do not see anything from the ePO or in the HipShield.log specifying which policy the block is occuring from.
Solved! Go to Solution.
IPS exceptions for any of the default signatures can be put in any policy, since all default signatures will exist in all policies, however for any custom signatures, the IPS exception must be put in the policy that contains that signature. Custom Signature IDs are unique per policy (actually per ePO Server) for the HIPS 8.0 product; for example, Signature 4001 can only exist in one single policy; you cannot have multiple copies of Sig 4001.
If you try to put an IPS exception for a custom signature in a policy that does not contain that custom signature, you'll get an error when trying to create an IPS exception for an event. Error: "Create exception failed. Signature xxxx does not exist in target policy". This applies to any Signature 4001-5999 (which is the custom signature range in HIPS 8.0).
Thank you for posting your query "Multiple HIPS Policies applied (stack), which policy to apply exception?"
Is it possible for you to share a Screen shot of the policies or export the xml file and share it with us, this will give us a better understanding of your question
Also let me know, how many groups do you have in system tree, and does each group have a different policy?
IPS exceptions for any of the default signatures can be put in any policy, since all default signatures will exist in all policies, however for any custom signatures, the IPS exception must be put in the policy that contains that signature. Custom Signature IDs are unique per policy (actually per ePO Server) for the HIPS 8.0 product; for example, Signature 4001 can only exist in one single policy; you cannot have multiple copies of Sig 4001.
If you try to put an IPS exception for a custom signature in a policy that does not contain that custom signature, you'll get an error when trying to create an IPS exception for an event. Error: "Create exception failed. Signature xxxx does not exist in target policy". This applies to any Signature 4001-5999 (which is the custom signature range in HIPS 8.0).
Thank you, this is very accurate. Originally, I'd posted this as I was not aware that it doesn't matter what policy you put the exception in, as long as it's a policy that the target systems will be exposed to.
I work in a team of Cyber Security HBSS SMEs, however, at the time I couldn't get an acceptable answer from anyone on this. That's changed now though, as our comprehension of this has improved.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA