4 Replies Latest reply on Jun 8, 2012 3:48 PM by hbss_admin

    Issues with signature 1266

      I manage a large enterprise network and have HIPS high/medium/low blocking enabled for several months now.


      Signature 1266 (IIS6 Envelope - Registry Mod. by IIS Process) had been relatively quiet for a long time and then all of a sudden started getting quite noisy all over the enterprise. Even though exceptions had been created for the expected traffic, HIPS seems to be ignoring the exceptions in a lot of cases and is continuing to block the traffic.


      There was a HIPS content update on April 16 and the problems started within a few days after that so I'm wondering if McAfee modified that 1266 signature in some way that's caused it to generate a lot of false positives.



        • 1. Re: Issues with signature 1266

          I would recommend favoriting the link below and reviewing daily for any changes to signatures. Generally this is on a monthly release cycle but there are instances where new signatures are added or existing ones altered based on the existing threat landscape or reported issues with existing content.


          http://www.mcafee.com/us/content-release-notes/host-intrusion-prevention/index.a spx


          As for signature 1266 being changed on either the 4/10 or 4/16 releases, I verified for you and did not see any listed changes. I also checked through my HIPS threat events over the last month and only had 3 listed but every environment varies. My best guess is you are seeing something that may be a home grown application or admin script causing this activity.


          Regarding the triggering of signatures with existing exceptions in place, I have been seeing this myself. I currently have a ticket open and, pending MER data on my end, I should hopefully have an answer forthcoming. Just to be safe though, make sure your syntax is correct by referencing the support guide. I recently fixed a few that I entered in error, so it happens.


          Good luck!

          • 2. Re: Issues with signature 1266

            For anyone still interested in this, we put in a service request to McAfee Platinum support and it turns out there is a known issue in HIPS 7.0, where the advanced details of one signature merges with another signature, which suddenly makes an exception more restrictive than it used to be.


            Usually just re-saving the exception clears up the problem - I guess HIPS sees the act of re-saving the policy as a policy change (even though nothing actually changed) and re-pushes the exception again.


            McAfee isn't going to fix this for HIPS 7.0; it'll require an upgrade to HIPS 8.0 to resolve the problem.

            • 3. Re: Issues with signature 1266

              That sounds interesting but is a bit vague. When you say merge are you refering to the database tables on the back end? Or does this issue only manifest itself locally on the client?


              To further my comment from earlier, investigation in our environment has shown that the issue may lie with how the CMA is applying policies locally on the host but not something that is systemic.


              Typical answer though, just upgrade to the latest version and all will be well... I don't recall seeing any specific enhancement or fix detailed in the HIPS 8 RTW or Patch 1 release notes regarding signature rule sets merging.

              • 4. Re: Issues with signature 1266

                In the support request we did, it was determined that the advanced details of one exception we had created for sig 3809 had somehow merged with the exception we had made for signature 990, which had no advanced details configured. This made sig 990 much more restrictive than it was supposed to be.


                Technically I'm not sure how they "merged"; the exception when viewed in ePO looked the way it was supposed to look; it "merged" somehow in the background and the way it was applied to our systems.