4 Replies Latest reply on Jun 4, 2013 10:28 AM by Kary Tankink

    Signature 1001




      Can anyone provide me the steps to trigger a signature 1001.  I need to trigger a signature 1001 to test HIPS.

        • 1. Re: Signature 1001

          Moved from Home to Business > HIPS for better attention.

          • 2. Re: Signature 1001

            You verified sig 1001 is enabled and set to the level your blocking? Depending on Group Policy, this signature should be evident in HIPS log when you make an attempt to uninstall McAfee Agent with HIPS enabled. You can also test this signature by stopping one of the agent services or modifiying agent files or reg info with HIPS enabled.


            This at least is what the signature suggests. I just got done testing however and am not seeing this block. I thought there may be a conflicting signature in 4011.  I'm missing something....


            Message was edited by: lrock on 6/4/13 7:24:42 AM CDT
            • 3. Re: Signature 1001
              Kary Tankink

              Signature 1001 is the Windows Agent Shielding - File Modification signature.  Try modifying any of the Host IPS files (like in the installation directory).  Ensure you have the Host IPS module enabled, High Severity events is set to PREVENT, and Signature 1001 is left at high severity.  Renames/moves, etc. should be prevented.

              • 4. Re: Signature 1001
                Kary Tankink

                Signature 4000-5999 are custom signatures written by customers.  You may have conflicts with the McAfee Default signatures, depending on how the custom signature is written.  If so, the original author of the custom signatures should troubleshoot it further.