1 Reply Latest reply on Feb 8, 2010 10:58 AM by $MoneyMan$

    HIPS 7.0 Blocking Applcation Hook on WMIPVERSE.EXE and RUNDLL32.EXE for Windows 7 systems.

    $MoneyMan$

      Hello All,

       

      We are testing HIPS 7.0 (50% are Windows XP SP3 and 50% are Windows 7).  We use EPO 4.0 Patch 5, VSE 8.7i Patch 2, VMAS 8.7i, MA 4.0 Patch 3,
      and HIPS 7.0 Patch 6.  We are receiving warnings for application hook blocks on Rundll32.exe and Wmipverse.exe.  This appears to happen when the
      systems enters Hybernation or standby mode.  Wondering if this is something that anyone else is seeing.

       

      Here are the entries that we see in the logs:

       

      c$\ProgramData\McAfee\Host Intrusion Prevention\FireEpo.log (20 hits)
          Line 74: 01/28/2010 15:30:14 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 75: 01/28/2010 15:30:14 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 1261: 01/28/2010 17:30:16 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 1262: 01/28/2010 17:30:16 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 2166: 01/28/2010 19:30:21 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 2167: 01/28/2010 19:30:21 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 3362: 01/28/2010 21:30:25 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 3363: 01/28/2010 21:30:25 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 4267: 01/28/2010 23:30:30 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 4268: 01/28/2010 23:30:30 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 5469: 01/29/2010 01:30:19 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 5470: 01/29/2010 01:30:19 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 6374: 01/29/2010 03:30:24 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 6375: 01/29/2010 03:30:24 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 7579: 01/29/2010 05:30:28 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 7580: 01/29/2010 05:30:28 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 8484: 01/29/2010 07:30:32 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 8485: 01/29/2010 07:30:32 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
          Line 9704: 01/29/2010 09:30:37 polFwAppRules.cpp[184]    INFO       Rule 19 -> TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE,FALSE,F ALSE,FALSE,1
          Line 9705: 01/29/2010 09:30:37 INFO       AppRule=TRUE,TRUE,FALSE,"wmiprvse.exe",0x00000000000000000000000000000000,FALSE ,FALSE,FALSE,FALSE,1
      c$\ProgramData\McAfee\Host Intrusion Prevention\FireSvc.log (13 hits)
          Line 111326: 01/29/2010 09:22:45 PROCHLPR[680]    INFO     Added process ID 7956, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 218123: 01/29/2010 09:27:41 PROCHLPR[680]    INFO     Added process ID 6840, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 310561: 01/29/2010 09:31:11 PROCHLPR[680]    INFO     Added process ID 6584, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 310582: 01/29/2010 09:31:11 PROCHLPR[381]    INFO     Returning info for process ID 6584, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE
          Line 427017: 01/29/2010 09:37:41 PROCHLPR[680]    INFO     Added process ID 7292, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 514813: 01/29/2010 09:41:01 PROCHLPR[680]    INFO     Added process ID 5028, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 665801: 01/29/2010 09:47:41 PROCHLPR[680]    INFO     Added process ID 1092, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 757853: 01/29/2010 09:52:41 PROCHLPR[680]    INFO     Added process ID 7912, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 850312: 01/29/2010 09:56:57 PROCHLPR[680]    INFO     Added process ID 7000, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 850332: 01/29/2010 09:56:57 PROCHLPR[381]    INFO     Returning info for process ID 7000, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE
          Line 981707: 01/29/2010 10:02:41 PROCHLPR[680]    INFO     Added process ID 7856, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 1109959: 01/29/2010 10:07:42 PROCHLPR[680]    INFO     Added process ID 7412, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
          Line 1249375: 01/29/2010 10:12:42 PROCHLPR[680]    INFO     Added process ID 3736, C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE, MD5 0x203c...
         
      EPO Notice (Sanitized for peace of mind :-))

       

      Computer:  Blah Blah
      IP:  0.0.0.0
      Infection source:  Blah Blah
      Product:  Host Intrusion Prevention
      Time:  1/29/10 9:30:39 AM

       

      Description: 
      Application blocked

       

      Category: 
      Application blocked

       

      Threat: 
      Not Available

       

      Threat ID:
      18002

       

      Affected Object: 
      WMI Provider Host

       

      Number of Events:
      1

       

      Number of Systems Affected:
      1

       

      Event First Triggered:
      1/29/10 9:30:39 AM

       

      Additional info: 
      C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE

       

      For additional information, see the Notification Log in the ePolicy Orchestrator console.

       

      Event Log

       

      Event Received Time (UTC): 1/29/10 3:30:43 PM
      Event Generated Time (UTC): 1/29/10 12:33:27 PM
      Agent GUID: 007
      Detecting Product ID: HOSTIPS_META
      Detecting Product Name: McAfee Host Intrusion Prevention
      Detecting Product Version: 7.0.0
      Detecting Product Host Name: Blah Blah
      Detecting Product IPv4 Address: 0.0.0.0
      Detecting Product IPv6 Address: 
      Detecting Product MAC Address: 0
      DAT Version: 
      Engine Version: 
      Threat Source Host Name: 
      Threat Source IPv4 Address: 
      Threat Source IPv6 Address: 
      Threat Source MAC Address: 
      Threat Source User Name: 
      Threat Source Process Name: WMIPRVSE.EXE
      Threat Source URL: file:///C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE
      Threat Target Host Name: Blah Blah
      Threat Target IPv4 Address: 0.0.0.0
      Threat Target IPv6 Address: 
      Threat Target MAC Address: 0
      Threat Target User Name: 
      Threat Target Port Number: 
      Threat Target Network Protocol: 
      Threat Target Process Name: 
      Threat Target File Path: 
      Event Category: Application block
      Event ID: 18002
      Threat Severity: Warning
      Threat Name: WMI Provider Host
      Threat Type: hook
      Action Taken: Blocked
      Threat Handled: true
      Analyzer Detection Method:

       

       

      Message was edited by: $MoneyMan$ on 1/29/10 10:46:31 AM CST
        • 1. Re: HIPS 7.0 Blocking Applcation Hook on WMIPVERSE.EXE and RUNDLL32.EXE for Windows 7 systems.
          $MoneyMan$

          Well, I contacted support and found a resolution to the issue, use XP if you want to have the application hooking component supported!  Below is their response.

           

          "As per your query you have,  it is a  Known Issues

          Issue: Because of internal changes in the operating system, the Application Hooking component of Application Blocking is not supported on Windows 7 at this time.

           

          Refer to online knowledgebase article KB65844 for the most current Windows 7 details.

           

          will be fixed in HIP 8.0 , HIP 8.0 is currently scheduled to release in late Q3 2010."