6 Replies Latest reply: Jun 17, 2013 2:09 PM by Kary Tankink RSS

    Hips Signature


      Anyone else notice that the signature "Java Envelope - Creation of suspicious files in Temp folder" doesnt seem to trip when it should.  The signature "Java Envelope - Starting suspicious process from Temp folder" seems to work fine, but for every infection I have traced a vulnerable version of java writing the malware file to the temp directory it has never tripped.

        • 1. Re: Hips Signature

          I should add that it doesn't work under virusscan 8.8 Access protection rules either.  I made a rule that looks for *.exe files written under common temp locations with the source process being java.exe and nothing trips.  I have another rule that monitors the exact same thing but with any process and it will record just fine that java.exe wrote 12365gb5.exe to C:\users\username\appdata\local\temp


          Message was edited by: Dvanmeter on 6/11/13 2:22:28 PM CDT
          • 2. Re: Hips Signature

            its hard to say since McAfee does not publish the signature definitions. you won't be able to test accurately since you dont know what you are testing for.

            • 3. Re: Hips Signature

              I did find a method to get the AP rules in AV 8.8 working.  I had to put the full path of the java.exe file in order for it to trip.  so rather than java.exe, I used C:\program files\java\java.exe.  The only problem with using it in AP rules in Virusscan is if there is a legit file there is no way to exclude.  In HIPS I could make an exception, but I am having some difficulties understanding how to make this kind of rule in HIPS.  Can anyone offer me any help in HIPs in creating a custom rule that says, c:\program files\java\java.exe is not allowed to create an exe anywhere on the drive

              • 4. Re: Hips Signature
                Kary Tankink

                Try something like:


                2013-06-17 11_32_17-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg



                Change the Operations as desired.

                • 5. Re: Hips Signature

                  Thank you for your help Kary,  just out of curiosity would the file rule be "Destination File" or just "file".  The two confuses me on how they are to be used.

                  • 6. Re: Hips Signature
                    Kary Tankink


                    Destination File is only used for a MOVE/RENAME or a HARDLINK operation (where there is a Source/Destination file).  See the help menu on FILES class signatures.


                    2013-06-17 14_05_51-McAfee Help Portal.jpg