1 2 Previous Next 11 Replies Latest reply on Apr 5, 2012 7:40 AM by ron.sokol

    HIPS Tuning Recommendations

      Hi,
      I'm currently trying to tune the McAfee HIPS. I've enabled blocking for all High severity signatures and I'm currently trying to determine if Medium severity signatures should also be blocked. I've identified the top 7 as follows:

      Outlook Envelope - Abnormal Program Execution - Count: 430
      Outlook Envelope - Dangerous File Creation - Count: 300
      IE Envelope - Abnormal Program Execution - Count: 215
      IE Envelope - Execution of Temp. Internet Files - Count: 215
      Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability - Count: 151
      Adobe Reader Plug-in Cross-Site Scripting Vulnerability - Count: 140
      Microsoft Outlook VEVENT Vulnerability - Count: 70

      Unfortunately, almost all of the above provide me with very shallow logging. For example, the Outlook Envelope - Abnormal Program Execution signature does not even provide me with which applicaiton or executable was blocked, so I can't really determine the severity of the event.

      Is there any way to enable more detailed logging? Also, are there any general recommendations / resources for HIPS tuning (as the documentation is quite shallow regarding this topic)? Thank you for your help.

      PS. I can't automatically block all of the above without understanding the associated severity as this may be triggered by unusual but legitimate usage (false positive).
        • 1. Re: HIPS Tuning Recommendations
          ron.sokol

          Clearly, the lack of response here shows that we're not spending enough time tuning. or perhaps enhanced mode readiness, or maybe we're all just going it alone   I have an idea, and I thought about posting it in 'ideas' but instead I'm going to do it...let's continue the discussion of tuning and false positives and hopefully get a database or knowlegebase of  common exclusions made in HIPS by various admins.  If you know of a place where this is being done, let me know!  I don't really think it is. 

           

          I have asked McAfee to have better out of the box tuning in place because by default, lots of SQL server events are blocked that are in common usage in corporate environments, and they require a lot of tuning/labor.  The events you list above are also the most common in my environment on workstations, and when I recently attended HIPS training, they are the top events showing in their screenshots as well   So McAfee should know there is a need.  I also recommended they collect the information on top blocks/detections and consolidate it for a sort of threat intel database, where they can see the numbers of false positives and perhaps update their canned policies where appropriate.

           

          But for the moment, I humbly submit my HIPS false positive du jour:

          Event Category:Network intrusion detected
          Event ID:18001
          Threat Severity:Critical
          Threat Name:2231

          Vulnerability in SMB could allow remote code execution.

          This is to me a false positive caused by the method of connection from Mac and ESX hosts to my Windows 2003 domain controllers.  I have excluded the detection for my DCs.

          • 2. Re: HIPS Tuning Recommendations

            HIPS tuning (or any point product tuning) is an intimate process that melds knowledge of the mission environment and business impacts with knowledge of applications, operating systems, and the IT environment.  The trouble with false positives is that they can usually indicate a larger problem, misconfiguration or communication issue.  The same train of thought applies to vulnerability scanners, and talk of false positives usually meant a scanner was not working properly (bad credentials, poor placement on the network, etc.).  On top of all that, no two environments are the same...i'm sure McAfee handles true false positives through HIP content updates.

             

            I'll share my methodology for HIPS tuning.  While the ePO console for viewing HIPS events is OK, I prefer events via email.  Specifically, one event per system.  There is no other way to truly see the real-time flow of events, the effects of proper tuning or the coordination between an event trigger and the operational IT landscape.  While proper tuning should be invisible, if you are embedded with an IT group you may hear (or overhear) a conversation directly related to a recent event.  Sometimes the truth hurts, like coming back from lunch to 4000 new events (use a seperate mailbox!).  But in reality, it may be one event triggering on the same file across thousands of systems.  Create the trusted application or exception, do a wake up call and clear the mailbox.  You may see the same event ID again but different user, file path, 64-bit executable vs. 32-bit, etc.  I say, if the event occurs across multiple systems with the same event ID, app and user then create a trusted applicaiton.  If it is a one-off (specific application or you are concerned with the security risk) create an exception with all the specifics intact.  Its easy to create either right from the HIPS console, and easier still to turn an exception into a trusted application.

             

            I don't think there is a one-size-fits-all methodology to tuning, especially if you don't have the benefit of a new rollout (as in it's already rolled out!).

             

            Good luck!

            • 3. Re: HIPS Tuning Recommendations
              ron.sokol

              Here's another one I just made.  It's the Windows Server Update Services (WSUS) client.  I created an exclusion in the HIPS rule for the affected systems on reports that servers become unresponsive after the patch maintenance window.  No threat events are logges on the HIPS 8 RTM hosts (I suspect an issue with this and am rolling out patch 1.  Disabling the BO engine avoids the problem in most cases.  I use an automation to disable BO by policy and re-enable post window.)

               

              Exception Name: Windows Update Process wuauclt.exe

              Status: Enabled

              Signature: (blank for all)

              Executable: C:\Windows\System32\wuauclt.exe

               

              I would like to further secure this policy, but I'm not sure how to get the signer information or the fingerprint.  Any ideas?

               

              • 4. Re: HIPS Tuning Recommendations
                Kary Tankink

                ron.sokol wrote:

                 

                I would like to further secure this policy, but I'm not sure how to get the signer information or the fingerprint.  Any ideas?

                 


                See:

                KB71205 - How to obtain executable information for Host Intrusion Prevention 8.0 using the ClientControl.exe utility

                • 5. Re: HIPS Tuning Recommendations
                  ron.sokol

                  Thanks for this reminder, Kary!  I knew that tool was good for something beyond making HIPS logs human readable

                  • 6. Re: HIPS Tuning Recommendations
                    rangerlj

                    U can set log level to info....

                    • 7. Re: HIPS Tuning Recommendations

                      Hi all,

                       

                      Question with regard to Ron's submission of 'last month's false positive" ;-) : Based on your advice, I went looking, and see the events popping up over the last months, very limited and typically only for a handfull of laptops, typically outside of office hours (assumption : Corp. Laptop used on home network).

                       

                      The pattern I get is 1 18001(2231) event every 30-31 minutes. Is that in line with what you observed ? the port used is 445, I am a bit cautious there, because it might also be a Conficker infection on another (private) PC of that employee (uses also port 445).

                       

                      Please come back with some more details if you have this on hand ?

                       

                      Kr.

                      OJ.

                      • 8. Re: HIPS Tuning Recommendations
                        ron.sokol

                        Hey, OJ.  In my environment I was seeing this exclusively on Domain Controllers from various non-Windows hosts (ESX hosts, Macintoshes).  I was getting several hunded per day from a universe of maybe 100 machines fitting the non-windows criteria.  Historically, I'd seen this false positive with another product (ISS HIPS) so I knew that it was possibly something different about the expected format of the SMB traffic from these non-Windows hosts.  I can conform the SMB is port 445.  It might be worthwhile to open a case or to try the packet capture feature to really be sure.

                        • 9. Re: HIPS Tuning Recommendations
                          ron.sokol

                          Here's one I wonder if you folks have seen:

                          Event Category:File system
                          Event ID:18000
                          Threat Severity:Warning
                          Threat Name:532
                          Threat Type:Execute

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  

                                                                          Drive Type                                                                                            HardDrive                                           
                                                                          ePO Reachable                                                                                            True                                           
                                                                          Executable file description                                                                                            MS DTCCONSOLE PROGRAM                                           
                                                                          Executable fingerprint                                                                                            2eaa1763a77be385b9a71a843c7f159e                                           
                                                                          Files                                                                                            C:\Program Files\McAfee\Host Intrusion Prevention\HcApi.dll                                           
                                                                          In Trusted Network                                                                                            Unknown                                           
                                                                          Subject Distinguished Name                                                                                            CN=MICROSOFT WINDOWS COMPONENT PUBLISHER, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US                                           
                                                                          Subject Organization Name                                                                                            MICROSOFT CORPORATION                                           

                          It's odd that the MSDTC exe would be accessing a HIPS DLL.  Any experience here?

                          1 2 Previous Next