Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2310 Views 11 Replies Latest reply: Mar 11, 2014 2:10 PM by Kary Tankink RSS 1 2 Previous Next
jpeg9999 Newcomer 26 posts since
Jul 22, 2011
Currently Being Moderated

Mar 7, 2012 3:14 PM

Custom Rules in HIPS 7, specifically new_data

I am trying to make a rule which detects and mitigates specific registry changes.  The rule will need to utilize wildcards as the Key, Name and Data may vary.

 

I can detect a static and dynamic Key and Name creation/modification without any issues, but fail when trying to utilize the Data field of the registry.

 

The Data field is referenced by old_data and new_data in custom HIPS signatures and must be in hex format.

 

Can we use wildcards in the new_data section?  Please give us some examples that work.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Mar 14, 2012 5:45 PM (in response to jpeg9999)
    Re: Custom Rules in HIPS 7, specifically new_data

    The new_data & old_data parameters do not need to be specified.  If you do not enter them in, assume that that parameter exists as a * wildcard.  If you trying to prevent registry changes to a specific key, just specify which key is to be protected and any changes will be prevented.

     

    Message was edited by: ktankink on 3/14/12 5:45:56 PM CDT
  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. Mar 16, 2012 6:54 PM (in response to jpeg9999)
    Re: Custom Rules in HIPS 7, specifically new_data

    2a (or 2a00 in my testing) represent the literal * character.  If you want to write up a custom signature that protects registry values from having "c:\windows\system32\<filename>.exe" from being used, you will need to write it as an Expert subrule (Standard subrules don't have the ability to input "new_data" parameters).  I can PM you the code I used to prevent values from being written with this directory path.  Basically, you need to find the values for the path above, but insert a ** in the TCL code so that a wildcard * is used.

  • zaloorb Newcomer 18 posts since
    Sep 1, 2009
    Currently Being Moderated
    4. Mar 20, 2012 9:01 AM (in response to Kary Tankink)
    Re: Custom Rules in HIPS 7, specifically new_data

    Kary,

     

    I don't mean to hijack the thread but this is an answer I have been searching for, going on 4 weeks now. I have not been able to open a ticket with our McAfee support team (as we no longer control the support license agreement) which I feel will answer my question. I would also love to see the expert subrule syntax and format so we can POC and start testing changes. Is it possible you could PM me as well?

     

    Thank you in advance

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    6. Mar 20, 2012 5:18 PM (in response to jpeg9999)
    Re: Custom Rules in HIPS 7, specifically new_data

    For the thread:

     

    The HIPS IPS parameter entries (new_data, old_data, etc.) entries are converted to 4-bit hex values.  See KB69120.

     

    String:     Hex:

    a               6100

    b               6200

    c               6300

     

    So the hex value for c:\windows\system32\ would be:

     

    String:                                             Hex:

    c:\windows\system32\                 63003a005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0 0

     

    .exe                                                  2e00650078006500

     

     

    So in the IPS Signature, put an ** between these lines and after to create a rule that monitors any values of:  c:\windows\system32\*.exe*

     

         63003a005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0 0**2e00650078006500**

     

     

    The * characters are wildcard characters, not literal * characters.   Double ** characters are necessary for HIPS 8.0, due to how a single * and double ** function.  See page 104 of PD22894 for wildcard details.

     

     

    NOTE: In my example, I used a \ character after system32, not your example of the : colon character.  My mistake about that, but I wanted to stay consistent with my testing, after I noticed that.  With that, the last 5c00 data value would change to 3a00 instead.

     

    I'll PM you an example Expert Subrule that I used for testing.  Your custom signature will need to modified for your needs.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    7. Mar 20, 2012 5:46 PM (in response to Kary Tankink)
    Re: Custom Rules in HIPS 7, specifically new_data

    Strike that.  Single * characters will work as well.  Double ** characters are not required.

  • zaloorb Newcomer 18 posts since
    Sep 1, 2009
    Currently Being Moderated
    8. Mar 22, 2012 7:37 AM (in response to Kary Tankink)
    Re: Custom Rules in HIPS 7, specifically new_data

    Excellent information Kary. Thank you for the prompt response.

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points