Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1999 Views 9 Replies Latest reply: Oct 23, 2013 9:50 AM by Kary Tankink RSS
damageinc Apprentice 51 posts since
Nov 22, 2011
Currently Being Moderated

Apr 11, 2013 11:33 AM

HIPS 8 Application Hooking (6010) Exceptions by Digital Signer

I've been doing some experimenting with creating exceptions for the 6010 HIPS 8 signature.  Because we're trying to deploy this to thousands of systems, our intent is to use the Subject Distinguished Name and Target Distinguished Name to eliminate a lot of false positives in a more secure way than simply allowing by file path.  The theory is that a known good vendor's digitally signed executable (the subject) can be allowed to hook into another known good vendor's digitally signed executable (the target).

 

What I have found so far is that if I create an exception for the 6010 signature, with the only two parameters being that the subject executable signer and the target executable signer are given, and there's only a one to one relationship between the two, the exception works as designed.  For example, if a Microsoft signed executable is attempting to hook into a Juniper signed executable, it works, and this is allowed.  See the first two entries in the "parameters" section in the screenshot.

 

However, if I edit this to include anything else, such as more subject executable signers or more target executable signers, the exception doesn't work as intended.  In the screenshot below, I added McAfee, Microsoft, and Winzip signed executables to the list of possible targets, assuming that this would not just be a one to one relationship.  I figured that any Microsoft signed executable should be allowed to hook into a Juniper, McAfee, Microsoft, or Winzip signed executable.

 

Exceptions written in this way seem to only work with a one to one relationship, and not with a one to many relationship or a many to many relationship.

 

Am I just misinterpreting how exceptions should be able to be written?  Has anyone come up with a good, fairly secure method of enabling this signature without having to make a LOT of exceptions?

 

-DamageInc

 

 

4-11-2013 12-20-26 PM.png

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points