1 Reply Latest reply on May 9, 2013 12:59 PM by Kary Tankink

    HIPS Suspicious Double File Extension & .com (sig 413)

    wyrm

      I ran into an issue with HIPS 8 triggering signature 413 (suspicious double file extension).  A .com file cannot execute from a folder name that contains a period.

       

      Example:

       

      Created folder "C:\ABC"

      copied format.com from "c:\windows\system32" to "C:\ABC"

      I can run C:\ABC\format.com without issue in that folder.

       

      Now, if I rename "C:\ABC" to "AB.C" then try to run C:\AB.C\format.com, it triggers signature 413.

      Here's the problem:  This only affects .com file extensions.  It does NOT affect .exe files.  I can copy notepad.exe into C:\AB.C and run it without issue.

       

      I opened a case with McAfee and the level 1 tech said this is intended functionality... but I find this hard to believe.  If this affects .com files, shouldn't it affect .exe as well???  This seems to be a bug, but level 1 was unwilling to escalate.

       

      I'd like to know if this is specific to HIPS 8, or if this also occurs with HIPS 7.

       

      Thanks,