Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1475 Views 7 Replies Latest reply: Mar 1, 2013 2:38 PM by greatscott RSS
cakeboss Newcomer 26 posts since
Oct 24, 2012
Currently Being Moderated

Jan 31, 2013 12:07 PM

IPS Not Triggering Events

I'm currently having trouble with the IPS portion of HIPS.  It is currently deployed in adaptive mode to 20 systems, but no events are triggering and no rules have been created (we've been monitoring both the events in ePO and the HIPS UI on the local machine).  I've tried testing by going so far as to enable blocking highs and trying a double file extension execution, but the activity is not blocked nor logged.  The firewall portion is working as intended, creating dynamic rules and triggering events.  I'm not really sure where to go from here.  Any ideas?

 

HIPS policy configuration:

 

Options - Host IPS enabled, adaptive mode enabled,

 

Protection - Log high severity only

 

Rules - My default and mcafee default

  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009
    Currently Being Moderated
    3. Jan 31, 2013 10:47 PM (in response to cakeboss)
    Re: IPS Not Triggering Events

    Don't use Adaptive mode with IPS. You really do NOT want to create exceptions. If you really want to see what it is going to do then change Prevent to Log. Start with High and then move onto Medium.

     

    Low severity isn't really what you want. Pretty much no one uses that content. Though occasionally you might promote one to medium.

  • hbssadmin Newcomer 28 posts since
    Jul 18, 2012
    Currently Being Moderated
    4. Feb 5, 2013 9:00 PM (in response to cakeboss)
    Re: IPS Not Triggering Events

    I found this on this community: https://community.mcafee.com/message/212795

     

    Thank Mr Kary Tankink

     

    Create a file with a double extension <filename>.com.exe

     

    If you have Host IPS IPS Protection policy is set to HIGH: PREVENT, and Signature 413 is set to HIGH Severity, then executing a filename with <filename>.com.exe will trigger this signature. 

     

    I use this all the time (on Win7 64-bit) to trigger violations by executing notepad.com.exe or putty.com.exe, etc.  for testing purposes.

  • greatscott Champion 287 posts since
    Jul 18, 2011
    Currently Being Moderated
    5. Feb 8, 2013 9:16 AM (in response to cakeboss)
    Re: IPS Not Triggering Events

    I would not put your stuff into adaptive. I would probably log all, and look for blocks and do what you please with them.

     

    Furthermore, for the 413 IPS Signature, we have found the McAfee signature to be pretty bad at detecting double file extensions. We created a custom and it pretty much catches everything.

     

    Message was edited by: greatscott on 2/8/13 9:16:11 AM CST
  • greatscott Champion 287 posts since
    Jul 18, 2011
    Currently Being Moderated
    7. Mar 1, 2013 2:38 PM (in response to cakeboss)
    Re: IPS Not Triggering Events

    not related.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points