9 Replies Latest reply: Oct 23, 2013 9:50 AM by Kary Tankink RSS

    HIPS 8 Application Hooking (6010) Exceptions by Digital Signer


      I've been doing some experimenting with creating exceptions for the 6010 HIPS 8 signature.  Because we're trying to deploy this to thousands of systems, our intent is to use the Subject Distinguished Name and Target Distinguished Name to eliminate a lot of false positives in a more secure way than simply allowing by file path.  The theory is that a known good vendor's digitally signed executable (the subject) can be allowed to hook into another known good vendor's digitally signed executable (the target).


      What I have found so far is that if I create an exception for the 6010 signature, with the only two parameters being that the subject executable signer and the target executable signer are given, and there's only a one to one relationship between the two, the exception works as designed.  For example, if a Microsoft signed executable is attempting to hook into a Juniper signed executable, it works, and this is allowed.  See the first two entries in the "parameters" section in the screenshot.


      However, if I edit this to include anything else, such as more subject executable signers or more target executable signers, the exception doesn't work as intended.  In the screenshot below, I added McAfee, Microsoft, and Winzip signed executables to the list of possible targets, assuming that this would not just be a one to one relationship.  I figured that any Microsoft signed executable should be allowed to hook into a Juniper, McAfee, Microsoft, or Winzip signed executable.


      Exceptions written in this way seem to only work with a one to one relationship, and not with a one to many relationship or a many to many relationship.


      Am I just misinterpreting how exceptions should be able to be written?  Has anyone come up with a good, fairly secure method of enabling this signature without having to make a LOT of exceptions?





      4-11-2013 12-20-26 PM.png