cancel
Showing results for 
Search instead for 
Did you mean: 
c14us
Level 7

Use of wildcards in certificates. Custom HIPS signature

Jump to solution

Hi All

As seen on many downloadpages, wrappers for misc. software is often wrapped with PUP software (or worse).

I've played with a rule to stop the most agressive adware publishers based on theire certificates, but have problems using wildcards (they are not accepted/working)

Do any of you know how usages of wildcard should be applied in certificate check.

Ex 1. (Not working, but what I would like to do. I've tested with * and **)

Rule {

tag "Blocked Certificates"

Class Program

Id 4007

level 4

Target_Executable { Include { -sdn "CN=*fried cookie**" }

}

directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate program:run programSmiley Surprisedpen_with_modify

}

Ex 2. (The full cert is working, but it is to specific, and will require way to much manual work to be of any interest)

Rule {

tag "Funnel"

Class Program

Id 4001

level 4

Target_Executable { Include { -sdn "CN=funnel delivery (fried cookie ltd.), O=funnel delivery (fried cookie ltd.), L=tel aviv, C=il" }

}

directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate program:run programSmiley Surprisedpen_with_modify

}

0 Kudos
1 Solution

Accepted Solutions
shakira
Level 10

Re: Use of wildcards in certificates. Custom HIPS signature

Jump to solution

You can indeed use wildcard for certs but it must be done with expert rules:

Rule {

              tag "look for multiple signers/certs with stars in them because we only know pieces"

              Class Program

              Id 5809

              level 3

              Executable { Include { -sdn "*OU=MPR*" } \

              { -sdn "*OU=MOPR*" }

              }

              directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate program:run programSmiley Surprisedpen_with_modify

}

Trying to do this in the GUI will remove the wildcards. Not sure why the it does this. At least the option is there in the expert rules.

5 Replies
McAfee Employee

Re: Use of wildcards in certificates. Custom HIPS signature

Jump to solution

According to the HELP menu for EXECUTABLES, the Signer must be an EXACT match (no wildcards).


Specify a signer: A signer distinguished name (SDN) for the executable is required and it must match exactly the entries in the accompanying field, including commas and spaces. If signer information is in executables in the Host IPS catalog, you can type an entry and you will get verification of the entry.       


c14us
Level 7

Re: Use of wildcards in certificates. Custom HIPS signature

Jump to solution

Ugh!

Hoped that not was the case. Would be nice stop stop adware developers per part of there signer name.

A GTI function to check signers would be nice. I'll make a PER.

Thanks for the reply

0 Kudos
shakira
Level 10

Re: Use of wildcards in certificates. Custom HIPS signature

Jump to solution

You can indeed use wildcard for certs but it must be done with expert rules:

Rule {

              tag "look for multiple signers/certs with stars in them because we only know pieces"

              Class Program

              Id 5809

              level 3

              Executable { Include { -sdn "*OU=MPR*" } \

              { -sdn "*OU=MOPR*" }

              }

              directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate program:run programSmiley Surprisedpen_with_modify

}

Trying to do this in the GUI will remove the wildcards. Not sure why the it does this. At least the option is there in the expert rules.

c14us
Level 7

Re: Use of wildcards in certificates. Custom HIPS signature

Jump to solution

I wanna dance with you Shakira. It's working

Can only get the it to accept one signer name in the rule though. Get syntax error every time when trying to add more.

The example below will block the "Fried Cookie" wrapped installer of FileZilla at SourgeForge. I'll like to add a few other blacklisted certificates like "CN=OpenCandy" and "CN=PC Utilities Software Limited". Can I get you to try adding multiple SDN's in one single rule?

Rule {
tag "Blocked Certificates"
Class Program
Id 4003
level 4
Target_Executable { Include { -sdn "*CN=*Fried Cookie*"  } }

directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate program:run programSmiley Surprisedpen_with_modify
}

0 Kudos
shakira
Level 10

Re: Use of wildcards in certificates. Custom HIPS signature

Jump to solution

Glad I could help! Very cool that Sourceforge was nice enough to identify their wrapper installers for us . Here is a rule using multiple certs with stars that just worked for me via expert rule:

Rule {

tag "test"

Class Program

Id 5932

level 3

Executable { Include { -sdn "*OU=What*" } \

{ -sdn "*OU=hello*" }

}

directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate program:run programSmiley Surprisedpen_with_modify

}

What I did was made the rule with the GUI (standard rule), clicked preview and copied the rule. Then I pasted that into an expert rule and added the stars. Make sure to remove any whitespace added from copying and pasting this rule! I got a syntax error when I copied right form this post and tried to add it.