Is anyone else having problems with signature 6015 since upgrading to HIPS 8 Patch 2? On my test system, I have found that as soon as I install Patch 2, signature 6015 goes nuts, blocking Outlook.exe, communicator.exe (Office Communicator), and rundll32.exe. Outlook and OCS don't even start; this signature blocks them as soon as they are invoked.
I have tried making exceptions for these, but so far nothing works, and they just get blocked. The only thing that has worked is unlocking the HIPS UI and disabling IPS (or disabling the signature itself).
I'm running the following:
Windows 7 32-bit
McAfee Agent 126.96.36.1994
HIPS 188.8.131.529 (Patch 2)
HIPS Content 184.108.40.20634
Please open a Support Request with McAfee Support. This signature has been updated a few times for false positives, but an IPS exception should work, if you created one, which Support can review.
From the October 2012 Content Release Notes:
[Updated] Signature 6015: Suspicious Function Invocation –Target Address Mismatch
- Signature is modified to reduce False Positive.
they just updated it again yesterday in the HIPS content update. sounds like a real winner.
We just received the content update, and suddenly, we see zero events for this today. It looks like this signature was broken in the October 2012 content release. I can come up with no other explanation than this. It makes absolutely no sense.
December 11, 2012
[Updated] Signature 6015: Suspicious Function Invocation - Target Address Mismatch
- Signature has been modified to reduce the false positives.
Thanks Kary. It looks like you're correct. The signature malfunctioned as a result of the October content release, but was fixed in the December release.