2 Replies Latest reply: Dec 6, 2012 8:40 AM by StefanT RSS

    HIPS 8 Doesn't Block Applications

    StefanT

      Hi, I'm trying to setup up application blocking using HIPS and have followed

       

      KB71794 ( https://kc.mcafee.com/corporate/index?page=content&id=KB71794 ) - To create an application blocking rules policy to prevent an executable from running (black list):

       

      I have created the policy on the ePO server, set it as a High priority and on the IPS Protection policy High is set to Prevent, and assigned it to both a server and a workstation, both clients report receiving a new policy package and enforce it, however I can still run the application that I have blocked in the policy (as a test I am blocking notepad.exe and calc.exe).

       

      No agent event is created its as if HIPS isn't seeing the signature at all. I also have previous custom signatures that monitor the hosts file for write action and if I set the severity level of this to high - prevent I am also able to open the hosts file, modify it and save it, again HIPS takes no action when the severity is set to high - prevent (although it does at least log it this time).

       

      Any ideas? Am I missing something? Both myself and a colleague have sat and looked at this and as far as we are concerned everything is set as per the KB article.

       

      Stef

       

      Message was edited by: StefanT on 27/11/12 13:22:40 GMT
        • 1. Re: HIPS 8 Doesn't Block Applications
          Kary Tankink

          You may want to open a Service Request with Support, so your custom signature and policies can be reviewed (privately). 

          • 2. Re: HIPS 8 Doesn't Block Applications
            StefanT

            I initially found out the problem, within the rule I had set the Rule Type to Program, entered the file name and that was it. What I discovered was that I had to toggle the inclusion status to Exclude and it blocked the file from being executed, or so I thought, it turns out if I add an executable and set the inclusion status to Exclude, it blocks all executables from being run!

             

            I'm lost now, I've followed the very vague KB article mentioned above but I either get nothing blocked or everything blocked executable wise!?

             

            I did open an SR and close it again when I thought I'd cracked it.

             

            Stef