Showing results for 
Search instead for 
Did you mean: 
Level 7

execution in removable drives

How do I create a HIPS rule to monitor execution of *.exe, *.scr, *.pif, *.lnk files in removable drives (USB)

Should I use "Program" or "Files" from rule type?

What do I use to make a reference to a removable drive device (e.g. e:\*.exe or f:\*.exe)?

Thank you so much for your help

0 Kudos
1 Reply
McAfee Employee

Re: execution in removable drives

You can use either Rule type.  PROGRAM is the better type to use in HIPS 8, but you can't define Drive Type like you can with the FILES type.

1. PROGRAM type; use drive letters to tag USB devices; specify Target Executables by filename (wildcarded if desired; *.exe, *.scr, etc.).  Use RUN TARGET EXECTUABLE operation.

KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature

2. FILES type; specify the DRIVE TYPE parameter with value OtherRemovable.  Specify EXECUTE operation with FILES parameter of the files you want to monitor.  Files parameters needs to include a path (e.g., **\*.exe, **\*.scr, etc.).  Files can only be specified by filename path; no hashes, file description, or signer (use the PROGRAM type for this, if needed).

0 Kudos