HIPS 8.0 uses double asterisks for wildcard syntax. See page 105 of the HIPS 8.0 Product Guide.
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide
Submit a McAfee Support Service Request if you'd like to the events reviewed further.
We're using HIPS 7, though, not 8. Does that make a difference?
And note that I haven't been making exceptions using that syntax; that's the way it's coming up in the event logs.
I would love to know the answer to this. This may be a DoD-specific issue. I have really found no possible explanation for this. These show up as the threat source process name and the threat source URL. I'm not even certain that these can be excepted.
"**/CMD.EXE" is particularly egregious. Most of our IPS rules policies have exceptions for this, yet they still violate signatures.
I'm not sure about this. Looking at my HIPS 7.0 events, I don't see any events with the process name listed as **\<filename>.exe. I see the full path or just the application name (iexplore.exe), but not anything with double asterisks.
You might want to open a Service Request with McAfee Support to discuss this further.