Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1752 Views 3 Replies Latest reply: Dec 10, 2012 3:48 PM by Kary Tankink RSS
davsanto Newcomer 18 posts since
Oct 28, 2008
Currently Being Moderated

Jul 27, 2012 1:59 PM

HIPS 8 Generic SIgnatures

Attempting to create a whitelist rule as described in KB71794.

 

Enabled Host IPS Signature 6011 and created a specifc exception rule.

 

While SIgnature 6011 blocks many executables it does not block other executables. 

 

And there is no exceptions created for this executable.

 

My understanding is that this siganture will block all executables except the ones in the exception rules.

 

This is not the case.

 

Any insight is appreciated.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Jul 27, 2012 5:49 PM (in response to davsanto)
    Re: HIPS 8 Generic SIgnatures
    My understanding is that this siganture will block all executables except the ones in the exception rules.


    Not all executables will be blocked.  Any exectuables listed in the Trusted Applications policy will be allowed to run.    Any other exectuables that you need to allow to run, you should create an IPS exception for those exectuables and Signature 6011.   Also please note Host IPS Best Practices for policy assignments in the Product Guide.

     

    PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

    https://kc.mcafee.com/corporate/index?page=content&id=PD22894

     

    Page 37

     

    Assigning multiple instances of the policy

    Assigning one or more instances of the policy to a group or system in the ePolicy Orchestrator

    System Tree provides for single policy multi-purpose protection.

    The IPS Rules policy and the Trusted Applications policy are multiple-instance policies that can

    have more than one instance assigned. A multiple-instance policy can be useful for an IIS

    Server, for example, where you might apply a general default policy, a server policy, and an

    IIS policy, the latter two configured to specifically target systems running as IIS servers. When

    assigning multiple instances, you are assigning a union of all the elements in each instance of

    the policy.

    NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when

    content is update. McAfee recommends that these two policies always be applied to make sure

    protection as up to date as possible.

  • kenobe Apprentice 90 posts since
    Mar 15, 2012
    Currently Being Moderated
    2. Dec 10, 2012 3:34 PM (in response to Kary Tankink)
    Re: HIPS 8 Generic SIgnatures

    I, too, tried putting the executable to be allowed in the IPS policy exceptions for signature 6011 - made no difference as well.   HIPS 8 blocked it every time, with a 6011 signature block.

     

    I also put the executable into the Trusted Apps policy and still got a pop-up  blocking for 6011.

     

    HIPS 7 file blockin was SO much easier.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. Dec 10, 2012 3:48 PM (in response to kenobe)
    Re: HIPS 8 Generic SIgnatures
    I also put the executable into the Trusted Apps policy and still got a pop-up  blocking for 6011.


    Trusted Applications do not bypass Signature 6011 (as well as others).   See:

     

    KB71704 - Host Intrusion Prevention Trusted Applications defined

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points