Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1652 Views 8 Replies Latest reply: Jul 11, 2013 7:54 AM by greatscott RSS
kobielusz Newcomer 3 posts since
Jun 10, 2013
Currently Being Moderated

Jun 10, 2013 9:53 PM

HIPS 8 - IPS Exception Rule Cleanup

I recently decided to tackle the mess that encompasses our ePO platform. The previous admin would create everything on the fly and did nothing to try and streamline or organize the system...especially when it came to creating Exceptions.

Our site was recently migrated from HIPS 7 to HIPS 8 by our corporate office however the mess of course just followed and with about 2 years remaining here as the primary admin, I would like to clean things up for not only my own sake most importantly for the sanity of the next admin to follow.

Soapbox aside, my specific question for the forum relates to the 21 pages of exceptions currently in place on the server as well over half of them appear to be duplicates of the same Signature ID and Executable with the differences being in the Parameters.

 

Is it possible (or recommended) to consolidate 3 individual exception rules for the same Signature ID and Executable into one rule similar to below and eliminate some of the clutter:

 

Example: Signature ID 913 Event Log Registry Permissions Modified   Executable C:\WINDOWS\SYSTEM32\SERVICES.EXE

Rule 1

Parameters

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\ACEEVENTLOG

User Name  NT AUTHORITY\SYSTEM

 

Rule 2

Parameters

Registry Key \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME 2.0 ERROR REPORTING

User Name  NT AUTHORITY\SYSTEM

 

Rule 3

Parameters

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME

User Name  NT AUTHORITY\SYSTEM

 

New Rule

Parameters

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\ACEEVENTLOG

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME 2.0 ERROR REPORTING

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME

User Name  NT AUTHORITY\SYSTEM

 

or

Parameters

Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\*

User Name  NT AUTHORITY\SYSTEM

 

This was an example of a smaller one, but have one related to Backup Exec services, that due to variances in the executable name and path, encompasses almost 2 pages of exceptions alone all ultimately triggering the same signature ID.

 

If I'm just overthinking things and this is just the way it is, I'm ok with that too and will just try and organize them at least into a common naming structure for each exception, but I also figure eliminating the clutter may also reduce any unnecessary overhead on the system as well.

  • minds Newcomer 2 posts since
    Jun 11, 2013
    Currently Being Moderated
    1. Jun 11, 2013 2:17 AM (in response to kobielusz)
    Re: HIPS 8 - IPS Exception Rule Cleanup

    I have moved to ePO 5 and HIPS 8 and now I'm having problems with registry keys. They seems to work if used one key per exception. But if I add several to single exception this doesn't works anymore. I don't have problems consolidating files to single exception hovewer.

    Had no such problem with ePO 4.5 and HIPS 7

  • Kary Tankink McAfee Employee 659 posts since
    Mar 3, 2010
    Currently Being Moderated
    2. Jun 11, 2013 11:59 AM (in response to kobielusz)
    Re: HIPS 8 - IPS Exception Rule Cleanup

    You can consolidate IPS exceptions, but be aware of how exception parameters are AND/OR'd together.  The KB below applies to HIPS 8.0 as well, although the menus look different.  ALL parameters must be listed in a single violation in order for the IPS exception to work.  Trying to use an exception with conflicting information (like, Registry Key and Registry Value) will most likely not work (since the violation will probably not contain both parameters in a single violation; most likely it will be 2 separate violations).  If you review the signature violation events, you can see exactly which parameters are listed.

     

    KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

     

     

    Different parameters types will be AND'd together (e.g., Signature ID AND REGISTRY KEY AND USERNAME).

    Same parameters types will be OR'd together (e.g., REGISTRY KEY OR REGISTRY KEY).

     

    Example:

    Signature ID OR Signature ID

    AND

    Registry Key OR Registry Key OR Registry Key

    AND

    User Name OR User Name

  • minds Newcomer 2 posts since
    Jun 11, 2013
    Currently Being Moderated
    5. Jun 12, 2013 12:21 AM (in response to kobielusz)
    Re: HIPS 8 - IPS Exception Rule Cleanup

    Hello

     

    I have read that KB article before and that has worked with HIPS 7.0 and still works with HIPS 8.0 for file parameters, but I can't get that working with Registry Key parameters. My exception configuration:

    HIPSException.png

     

    These starts working only if I create separate exceptions for each Registry key.

    I just wondering: maybe I can't use \REGISTRY\MACHINE and \REGISTRY\USER\ keys for the same exception. But that KB states that OR is used for the same parameter type and nothing about values.

  • Kary Tankink McAfee Employee 659 posts since
    Mar 3, 2010
    Currently Being Moderated
    6. Jun 12, 2013 12:20 PM (in response to minds)
    Re: HIPS 8 - IPS Exception Rule Cleanup
    I just wondering: maybe I can't use \REGISTRY\MACHINE and \REGISTRY\USER\ keys for the same exception. But that KB states that OR is used for the same parameter type and nothing about values.

    You can use multiple REGISTRY KEY parameters that are different registry locations.  I've tested this before and just now, and it still works fine.  I used 2 registry hives and a TEST key. 

     

    I created the regkeys TEST and TEST2:

    \REGISTRY\CURRENT_USER\SOFTWARE\TEST\TEST2

    \REGISTRY\MACHINE\SOFTWARE\TEST\TEST2

     

    My signature blocks any new regkeys under:

    \REGISTRY\CURRENT_USER\SOFTWARE\TEST\**

    \REGISTRY\MACHINE\SOFTWARE\TEST\**

     

    With this IPS exception, I was able to:

    1. Not create any new keys under:

         \REGISTRY\CURRENT_USER\SOFTWARE\TEST\

         \REGISTRY\MACHINE\SOFTWARE\TEST\

     

    2. Could create new keys under:

         \REGISTRY\CURRENT_USER\SOFTWARE\TEST\TEST2

         \REGISTRY\MACHINE\SOFTWARE\TEST\TEST2

     

     

    2013-06-12 12_15_20-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

  • thurmanw1 Newcomer 13 posts since
    Feb 22, 2010
    Currently Being Moderated
    7. Jul 9, 2013 6:34 PM (in response to kobielusz)
    Re: HIPS 8 - IPS Exception Rule Cleanup

    I agree with kobielusz.  I stepped into a similar situation, similar mess and all.  I definitely appreciate the answers and references by Kary.  I just spent the day cleaning up several Exceptions.  I was about 98% sure that the Parameters that I created were right, but it was great to see it in black & white.

  • greatscott Champion 293 posts since
    Jul 18, 2011
    Currently Being Moderated
    8. Jul 11, 2013 7:54 AM (in response to kobielusz)
    Re: HIPS 8 - IPS Exception Rule Cleanup

    It makes life simpler to break your exceptions out by process name, and put the threat name in the "notes" section of the exception. in this area, you may have several threat names. for example:

     

    c:\windows\system32\cmd.exe

    1281, 344, 6015, 990, 1148

     

    This of course does not take into account usernames other file parameters, etc. Like Kary said, I would be very careful with how these are currently intertwined. It works now, but you could easily break something making the changes. Just keep good notes and make the changes slowly and methodically. Have good dashboards setup before you start making your changes.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points