Hi, I'm trying to setup up application blocking using HIPS and have followed
KB71794 ( https://kc.mcafee.com/corporate/index?page=content&id=KB71794 ) - To create an application blocking rules policy to prevent an executable from running (black list):
I have created the policy on the ePO server, set it as a High priority and on the IPS Protection policy High is set to Prevent, and assigned it to both a server and a workstation, both clients report receiving a new policy package and enforce it, however I can still run the application that I have blocked in the policy (as a test I am blocking notepad.exe and calc.exe).
No agent event is created its as if HIPS isn't seeing the signature at all. I also have previous custom signatures that monitor the hosts file for write action and if I set the severity level of this to high - prevent I am also able to open the hosts file, modify it and save it, again HIPS takes no action when the severity is set to high - prevent (although it does at least log it this time).
Any ideas? Am I missing something? Both myself and a colleague have sat and looked at this and as far as we are concerned everything is set as per the KB article.
Message was edited by: StefanT on 27/11/12 13:22:40 GMT
I initially found out the problem, within the rule I had set the Rule Type to Program, entered the file name and that was it. What I discovered was that I had to toggle the inclusion status to Exclude and it blocked the file from being executed, or so I thought, it turns out if I add an executable and set the inclusion status to Exclude, it blocks all executables from being run!
I'm lost now, I've followed the very vague KB article mentioned above but I either get nothing blocked or everything blocked executable wise!?
I did open an SR and close it again when I thought I'd cracked it.