1 Reply Latest reply on Mar 4, 2013 8:39 AM by jesperdb

    HIPS exception rule still getting triggered and mailed.

    jesperdb

      Hey Guys

       

      Im getting annoyed by this false positive we have in our enviroment.

       

      HIPS is triggering on event id 2640, because we run a program from another folder than Program FIles folder.

       

      Ive tried to make several exceptions on the exact fingerprints for both executing application and the source application none have had any success yet.

       

      The event id is triggered on all of the servers we have in the farm, so ive remove the "Workstation Name" from the exception.

       

      But im still getting mails from our automatic response about the HIPS event.

       

      How do succesfully sort these false positives out so i dont receive a notification every time?

       

      Heres the exception:

       

      IE Envelope - Abnormal Program Execution

                ruleId = <RULE NAME HERE>:IE Envelope - Abnormal Program Execution          :626bb60a-ab32-489d-a9d7-0f1ffac790d5

                enabled = TRUE

                isAdmin = TRUE

                readonly = TRUE

                blocked = FALSE

                createdManually = FALSE

                sigNum = 2640

                userName =

                groupName =

                groupSid =

                includeAllSignatures = FALSE

                includeAllUsers = TRUE

                includeAllProcesses = FALSE

                createdTime = 1970-01-01T01:00:00.000+0000

                modifiedTime = 1970-01-01T01:00:00.000+0000

                advanced details: none

                numExecutableDetails = 0

                executable details:

                          executable:

                                    executableType = Standard

                                    Path = C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE

                                    description = INTERNET EXPLORER

                                    signer = CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

                                    Hash = 257A60600A56C42ADF146AA9F8A8CD18

                          executable:

                                    executableType = Target

                                    Path = D:\SYSTEM\TSS\PROGRAMS\ACROBATREADER10\READER\ACRORD32.EXE

                                    description = ADOBE READER

                                    signer = CN="ADOBE SYSTEMS, INCORPORATED", OU=ACROBAT ENGINEERING, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O="ADOBE SYSTEMS, INCORPORATED", L=SAN JOSE, S=CALIFORNIA, C=US

                                    Hash = 540C61844CCD78C121C3EF48F3A34F0E

       

      Heres the actual Alert from the Hip log

       

      <Event> <!-- Level=Med, Reaction=Log -->

        <EventData

        SignatureID="2640"

        SignatureName="IE Envelope - Abnormal Program Execution"

        SeverityLevel="3"

        Reaction="2"

        ProcessUserName="<USERNAME>"

        Process="C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE"

        IncidentTime="2013-03-04 11:17:09"

        AllowEx="True"

        SigRuleClass="Program"

        ProcessId="40776"

        Session="527"

        SigRuleDirective="run"/>

        <Params>

          <Param name="Workstation Name" allowex="True"><MACHINE NAME></Param>

          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT CORPORATION, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

          <Param name="Executable Description" allowex="False">INTERNET EXPLORER</Param>

          <Param name="Executable Fingerprint" allowex="False">257a60600a56c42adf146aa9f8a8cd18</Param>

          <Param name="Target File Name" allowex="False">ACRORD32.EXE</Param>

          <Param name="Target Path" allowex="False">D:\SYSTEM\TSS\PROGRAMS\ACROBATREADER10\READER\ACRORD32.EXE</Par am>

          <Param name="Target Distinguished Name" allowex="False">CN=&quot;ADOBE SYSTEMS, INCORPORATED&quot;, OU=ACROBAT ENGINEERING, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;ADOBE SYSTEMS, INCORPORATED&quot;, L=SAN JOSE, S=CALIFORNIA, C=US</Param>

          <Param name="Target Organization Name" allowex="False">&quot;ADOBE SYSTEMS, INCORPORATED&quot;</Param>

          <Param name="Target Description" allowex="False">ADOBE READER </Param>

          <Param name="Target Fingerprint" allowex="False">540c61844ccd78c121c3ef48f3a34f0e</Param>

        </Params>

      </Event>

       

      The event is still triggered and mailed!

       

      Message was edited by: jesperdb on 3/4/13 4:26:24 AM CST

       

      Message was edited by: jesperdb on 3/4/13 4:27:08 AM CST