cancel
Showing results for 
Search instead for 
Did you mean: 
abunish28
Level 7

Signature 1001

Jump to solution

HI,

Can anyone provide me the steps to trigger a signature 1001.  I need to trigger a signature 1001 to test HIPS.

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Signature 1001

Jump to solution

Signature 1001 is the Windows Agent Shielding - File Modification signature.  Try modifying any of the Host IPS files (like in the installation directory).  Ensure you have the Host IPS module enabled, High Severity events is set to PREVENT, and Signature 1001 is left at high severity.  Renames/moves, etc. should be prevented.

0 Kudos
4 Replies
exbrit
Level 21

Re: Signature 1001

Jump to solution

Moved from Home to Business > HIPS for better attention.

0 Kudos
lrock
Level 9

Re: Signature 1001

Jump to solution

You verified sig 1001 is enabled and set to the level your blocking? Depending on Group Policy, this signature should be evident in HIPS log when you make an attempt to uninstall McAfee Agent with HIPS enabled. You can also test this signature by stopping one of the agent services or modifiying agent files or reg info with HIPS enabled.

This at least is what the signature suggests. I just got done testing however and am not seeing this block. I thought there may be a conflicting signature in 4011.  I'm missing something....

Message was edited by: lrock on 6/4/13 7:24:42 AM CDT
0 Kudos
McAfee Employee

Re: Signature 1001

Jump to solution

Signature 4000-5999 are custom signatures written by customers.  You may have conflicts with the McAfee Default signatures, depending on how the custom signature is written.  If so, the original author of the custom signatures should troubleshoot it further.

0 Kudos
McAfee Employee

Re: Signature 1001

Jump to solution

Signature 1001 is the Windows Agent Shielding - File Modification signature.  Try modifying any of the Host IPS files (like in the installation directory).  Ensure you have the Host IPS module enabled, High Severity events is set to PREVENT, and Signature 1001 is left at high severity.  Renames/moves, etc. should be prevented.

0 Kudos