2 Replies Latest reply on Sep 27, 2010 5:50 AM by Paul_N

    Custom IPS Signature help!

    Paul_N

      All,

       

      Without going into too many details, I'm having some real fun and games trying to get HIPS to recognise and trigger customised IPS exceptions.

       

      I've currently created an IPS policy which basically prevents "High" risk category threats, logs "Medium" and ignores anything lower.

       

      After this I created some customised signatures to protect some of our key management services and file/folders which all seem to be absoutely correct.

       

      However, whatever I try, I cannot seem to get these customised signatures to actually apply and prevent the action.

       

      Even a basic rule to stop the modification of files within C:\Test isn't enforced.

       

      I'm just looking for advice of where to begin looking for with this, unlike the Firewall and Application Blocking, the client UI doesn't is completely blank under the IPS tab and doesn't show any rules or hint that it is actually got something definied outside of the the tick-box enabled "Enable IPS"

       

      For reference we are using HIPS 7 Patch 8 in combination with ePO 4.5 (Patch 1) and McAfee Agent 4.5.0.1429.

       

      I've attached some screen shots to illustrate the above.

       

      Many thanks for any help in advance!

       

       

      on 23/09/10 09:09:13 CDT
        • 1. Re: Custom IPS Signature help!
          Kary Tankink

          Some advice:

           

          1. Your question in a screenshot:  Should this be blank?    <yes, this blank field only shows entries, when you put Host IPS in Adaptive mode and it creates locally-learned client rules exceptions.

           

          2. Your subrule is setup for FILES -  C:\TEST, yet you created a directory called C:\TEST.   The signature should be blocking operations to a file called TEST (no extension) in the root of C:\.  Did you mean instead C:\TEST\* files?  Modify your rule to include files in the C:\TEST directory, and not a file called TEST in C:\.

          • 2. Re: Custom IPS Signature help!
            Paul_N

            Kary, thank you ever so much - this was indeed the correct answer and IPS is now triggering as expected for file deletes on protected folders!

             

            I have, however, got another question if you wouldn't mind a further question?

             

            I have setup a rule to prevent the service termination of our power management software, Verdiem Surveyor, however, it only triggers upon trying to uninstall the software.

             

            If I go to Start -> Run -> Services.msc and then stop the service from there, it doesn't get prevented as I would expect.

             

            Couple of things I can think of:

             

            1) Is services.msc is a "trusted application" in terms of IPS with the default policy (if so, what would I need to do to change that?)

            2) I added Verdiem Surveyor itself as a trusted application (although I would say this would have allowed the service to be terminated via uninstalling it)

            3) I have tried both the "Service Name" and "Display Name" options from the rule (putting the correct entry in as required) but each yields the same result

             

            I've added some screenshots again to help illustrate the issue

             

            Many thanks again in advance!