2 Replies Latest reply on Sep 12, 2012 11:28 AM by kenobe

    HIPS 7 and 8 Question - Blocking/Reporting Hashes

    kenobe

      All, I know the functionality is in place to block hashes with HIPS.  The question is this - can I set HIPS to only REPORT on a hash, when found, and NOT block it?

       

      Thanks, Ken

        • 1. Re: HIPS 7 and 8 Question - Blocking/Reporting Hashes
          Kary Tankink

          With HIPS 7.0, you would use the Application Blocking module, but it has no LOG ONLY function (only BLOCK or ALLOW).

           

          With HIPS 8.0, you would be using a custom Host IPS signature (see KB below), and you can set this signature to a LOG only severity, but it requires you to set a Protection Policy to LOG.  Example: Set the Protection Policy for LOW severity sigantures to LOG, however, this will activate all LOW severity signatures to log.  If you do not wish to use any of the LOW severity signatures, you'll need to modify all other LOW severity signatures and set their Severity level to DISABLED.  Basically, you'd have all LOW severity signatures disabled, except for your custom IPS signature for app blocking by hashes.

           

           

          KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature