With HIPS 7 any custom created signatures were detailed in a file named Sigrules.txt. Recently, we began testing custom signatures for HIPS 8 and could not find out newest entries in this file. The signature does trigger properly however, so the signature must be loaded from somewhere. So I have 2 questions:
- How are custom signature rules stored on the client within HIPS 8
- If custom signature rules are no longer stored in the Sigrules.txt file, what is the pupose of this file in HIPS 8
I will be curious to know the answer to this too. I see the file, and I am running HIPS 8.
Furthermore, we have questioned in the past why this file is not some how protected, or encrypted. It contains all the parameters and syntax for any custom signatures. Even from an unprivilaged user account, it can be accessed.Message was edited by: greatscott on 8/17/12 12:39:57 PM CDT
Did you upgrade to HIPS 8? Maybe this file is just left over from HIPS 7? Perhaps McAfee developed a more secure way of storing the custom signature parameters in HIPS 8?
I did initially leave out the fact the the file is in plain text but that is a great point to make. I guess it is possible that it is leftover but it must serve some purpose... If not, it might be best for us to delete it entirely to prevent anyone from gleaning this sensitive information.