I am preparing to move from HIPS 7 in basic protection to HIPS 8 P2. I am planning on going to Enhanced protection. I have about a dozen machines running now with Enhanced in Warn mode. What I am seeing is a lot of buffer overflows, suspicious function, and other alerts from basic Microsoft products. IEXPLORE.exe, explorer.exe, winlogon.exe and outlook.exe. Today I even have Windows Activation setting off alerts. Is it common for MS products to have a lot of alerts that I need to tune for? My biggest concern is that we have been compromised and I write exception rules for the compromise.
Some of these violations might be due to third party software (e.g., Iexplore.exe violations sometime occur due to 3rd party plugins and extensions). Each violation should be analyzed to determine if an IPS exception is applicable (e.g., if an IPS violation occurs referencing an OS/software vulnerability that has or has not been patched).
I can see IEXPLORER.exe being impacted by 3rd parties, But Winlogon or Windows activation seems unlikely.
Can you point me to some good books or tools to do the analysis you suggest. Or even a good check list of questions to ask.
Check this KB Herb.
KB73399 - FAQs for Host Intrusion Prevention 8.0
Client IPS/FAQ - IPS Events
Client Firewall/FAQ - FW Rules Assistance
That list is pretty general and applies to all rules. I am specifically worried about buffer overflows.. For Winlogon.exe Event !D 18000, threat 985. Happens on a few machines but not all. But have identical images. On one machine it was happening dozens of times a day for months. The machine was replaced, same image, same minimal apps installed. Same usage pattern. No events.
22 buffer overflows in last 40 days from our steaming image machines. Buffer overflow, Event ID 18000, threat 6013. When running WATADMINSVE.EXE (Windows Activation Service) I have 1500 of these machines. Every time they are booted they stream down a new fresh image to memory from the central server. I know of no reason they would even be running Windows Activation, as the image should have been activated prior to deploy. But then all 1500 should behave identical.
None of the buffer overflow ones I have seen so far have a CVE associated. I have other alerts with CVE's but that is another topic and discussion.
It just seems strange that I would see buffer overflows from core MS programs. I see some of the ones for Windows Explorer on multiple but not all machines. But always for the same 3 or 4 API calls. Even see events from IE and Chrome making the same API calls.
I am just two weeks into actively tuning on only a dozen machines. I am already on my second page of exception rules.
In looking at the KB, everything is going to fall through to item 13, And that will be very, very time consuming. And again where do I find guidance on reading those logs. VSE is not reporting any issues with any of the machines. Our perimeter monitors are all quite for these machines, multiple layers, McAfee and non McAfee. Patches have been deployed monthly, but in a large organization one can never assume that 100.00000% of machines have the patches. HIPS rules must always assume that at least one machine missed the patches and that will be one the bad guys use for their beach head into the company.
I have no feel for what is normal. I would like get a feeling from other admin's of what the real world is like. I need to gather info so I can be as efficient as possible in reviewing the events. Spending hours per event is not going be a solution.
Forgive me for intruding into this thread, I usually stick to the Consumer section. But the question about HIPS and buffer overflows came up in this week's conference call, specifically in relation to Microsoft products.
Intrusion Protection has recently been added to the Consumer products, and I understand that the code was copied over from the Corporate product (which here I take to be HIPS) without any changes.
The default and recommended setting for Intrusion Protection in Consumer is Basic, and at that level there are very few Buffer OVerflow alerts. If, however, the level is set to High then these alerts occur very frequently, and usually in relation to Microsoft programs - Word, Excel, and Internet Explorer. Posters to the Consumer section have been asking about these alerts for several weeks, but until recently I had not seen one. Then I enabled Intrusion Protection. I saw six of these alerts for Internet Explorer within a few hours after setting the detection level to High; since resetting the level to Basic I have seen none.
Certainly Microsoft have patched very many buffer overflow vulnerabilities in their code, and McAfee adds detection for each of these vulnerabilities as a precaution. Possibly the High setting is causing each detection of a potential (rather than actual) overflow to be flagged regardless of whether Microsoft has patched it or not.
I don't know if any of that is helpful to you, but at least you're not alone in wondering why Intrusion Protection is so sensitive on the High setting that it produces some false positive alerts.
Thank you for your excellent response. This was very helpful. This kind of information helps me understand how much is unique to my installation and how much is a general pattern.
When I was looking deeper into the rules for the alerts that many of them are new to HIPS 8 P2. This raises the possibility that engineering got a little to aggressive. When I combine your info, the fact the rules are new, and that all our other monitors show no issues, I get a little more comfortable writing exceptions.
I would still be interest in the experience of others with enhansed protection for IPS in HIPS 8.