8 Replies Latest reply: Jul 11, 2013 7:54 AM by greatscott RSS

    HIPS 8 - IPS Exception Rule Cleanup

    kobielusz

      I recently decided to tackle the mess that encompasses our ePO platform. The previous admin would create everything on the fly and did nothing to try and streamline or organize the system...especially when it came to creating Exceptions.

      Our site was recently migrated from HIPS 7 to HIPS 8 by our corporate office however the mess of course just followed and with about 2 years remaining here as the primary admin, I would like to clean things up for not only my own sake most importantly for the sanity of the next admin to follow.

      Soapbox aside, my specific question for the forum relates to the 21 pages of exceptions currently in place on the server as well over half of them appear to be duplicates of the same Signature ID and Executable with the differences being in the Parameters.

       

      Is it possible (or recommended) to consolidate 3 individual exception rules for the same Signature ID and Executable into one rule similar to below and eliminate some of the clutter:

       

      Example: Signature ID 913 Event Log Registry Permissions Modified   Executable C:\WINDOWS\SYSTEM32\SERVICES.EXE

      Rule 1

      Parameters

      Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\ACEEVENTLOG

      User Name  NT AUTHORITY\SYSTEM

       

      Rule 2

      Parameters

      Registry Key \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME 2.0 ERROR REPORTING

      User Name  NT AUTHORITY\SYSTEM

       

      Rule 3

      Parameters

      Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME

      User Name  NT AUTHORITY\SYSTEM

       

      New Rule

      Parameters

      Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\ACEEVENTLOG

      Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME 2.0 ERROR REPORTING

      Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\APPLICATION\.NET RUNTIME

      User Name  NT AUTHORITY\SYSTEM

       

      or

      Parameters

      Registry Key  \REGISTRY\MACHINE\SYSTEM\CONTROLSET\SERVICES\EVENTLOG\*

      User Name  NT AUTHORITY\SYSTEM

       

      This was an example of a smaller one, but have one related to Backup Exec services, that due to variances in the executable name and path, encompasses almost 2 pages of exceptions alone all ultimately triggering the same signature ID.

       

      If I'm just overthinking things and this is just the way it is, I'm ok with that too and will just try and organize them at least into a common naming structure for each exception, but I also figure eliminating the clutter may also reduce any unnecessary overhead on the system as well.

        • 1. Re: HIPS 8 - IPS Exception Rule Cleanup
          minds

          I have moved to ePO 5 and HIPS 8 and now I'm having problems with registry keys. They seems to work if used one key per exception. But if I add several to single exception this doesn't works anymore. I don't have problems consolidating files to single exception hovewer.

          Had no such problem with ePO 4.5 and HIPS 7

          • 2. Re: HIPS 8 - IPS Exception Rule Cleanup
            Kary Tankink

            You can consolidate IPS exceptions, but be aware of how exception parameters are AND/OR'd together.  The KB below applies to HIPS 8.0 as well, although the menus look different.  ALL parameters must be listed in a single violation in order for the IPS exception to work.  Trying to use an exception with conflicting information (like, Registry Key and Registry Value) will most likely not work (since the violation will probably not contain both parameters in a single violation; most likely it will be 2 separate violations).  If you review the signature violation events, you can see exactly which parameters are listed.

             

            KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria

             

             

            Different parameters types will be AND'd together (e.g., Signature ID AND REGISTRY KEY AND USERNAME).

            Same parameters types will be OR'd together (e.g., REGISTRY KEY OR REGISTRY KEY).

             

            Example:

            Signature ID OR Signature ID

            AND

            Registry Key OR Registry Key OR Registry Key

            AND

            User Name OR User Name

            • 3. Re: HIPS 8 - IPS Exception Rule Cleanup
              kobielusz

              @minds

              Thank you for providing your own input with regard to the registry keys in particular as that seems to be what I am seeing more of lately as a result of the migration. All of our test workstations have required additional tuning for the registry exceptions when the policies were converted from HIP7 to HIPS8 so I'm about to roll up the sleeves on those and start taking a closer look.

              For the record, we are still running ePO 4.5 at the moment so maybe not a difference between the ePO version itself.

               

              Message was edited by: kobielusz on 6/11/13 7:41:19 PM CDT
              • 4. Re: HIPS 8 - IPS Exception Rule Cleanup
                kobielusz

                @Kary

                This is exactly what I was looking for to definitively try and sort this mess out and I guess that my assumptions were tracking along those lines, but it is good to see it in black and white rather than simply guessing how they are processing.

                Given the brevity of that technical paper, I think this would make a worthy addition to the product guide and help eliminate any confusion down the road as to how these rules function.

                I swear that that I had searched about every keyword except "criteria" but that seems to have been the magic word.

                Thank you again for the assistance and have a great week!

                • 5. Re: HIPS 8 - IPS Exception Rule Cleanup
                  minds

                  Hello

                   

                  I have read that KB article before and that has worked with HIPS 7.0 and still works with HIPS 8.0 for file parameters, but I can't get that working with Registry Key parameters. My exception configuration:

                  HIPSException.png

                   

                  These starts working only if I create separate exceptions for each Registry key.

                  I just wondering: maybe I can't use \REGISTRY\MACHINE and \REGISTRY\USER\ keys for the same exception. But that KB states that OR is used for the same parameter type and nothing about values.

                  • 6. Re: HIPS 8 - IPS Exception Rule Cleanup
                    Kary Tankink
                    I just wondering: maybe I can't use \REGISTRY\MACHINE and \REGISTRY\USER\ keys for the same exception. But that KB states that OR is used for the same parameter type and nothing about values.

                    You can use multiple REGISTRY KEY parameters that are different registry locations.  I've tested this before and just now, and it still works fine.  I used 2 registry hives and a TEST key. 

                     

                    I created the regkeys TEST and TEST2:

                    \REGISTRY\CURRENT_USER\SOFTWARE\TEST\TEST2

                    \REGISTRY\MACHINE\SOFTWARE\TEST\TEST2

                     

                    My signature blocks any new regkeys under:

                    \REGISTRY\CURRENT_USER\SOFTWARE\TEST\**

                    \REGISTRY\MACHINE\SOFTWARE\TEST\**

                     

                    With this IPS exception, I was able to:

                    1. Not create any new keys under:

                         \REGISTRY\CURRENT_USER\SOFTWARE\TEST\

                         \REGISTRY\MACHINE\SOFTWARE\TEST\

                     

                    2. Could create new keys under:

                         \REGISTRY\CURRENT_USER\SOFTWARE\TEST\TEST2

                         \REGISTRY\MACHINE\SOFTWARE\TEST\TEST2

                     

                     

                    2013-06-12 12_15_20-ePolicy Orchestrator 5.0.0 (Build_ 1160).jpg

                    • 7. Re: HIPS 8 - IPS Exception Rule Cleanup
                      thurmanw1

                      I agree with kobielusz.  I stepped into a similar situation, similar mess and all.  I definitely appreciate the answers and references by Kary.  I just spent the day cleaning up several Exceptions.  I was about 98% sure that the Parameters that I created were right, but it was great to see it in black & white.

                      • 8. Re: HIPS 8 - IPS Exception Rule Cleanup
                        greatscott

                        It makes life simpler to break your exceptions out by process name, and put the threat name in the "notes" section of the exception. in this area, you may have several threat names. for example:

                         

                        c:\windows\system32\cmd.exe

                        1281, 344, 6015, 990, 1148

                         

                        This of course does not take into account usernames other file parameters, etc. Like Kary said, I would be very careful with how these are currently intertwined. It works now, but you could easily break something making the changes. Just keep good notes and make the changes slowly and methodically. Have good dashboards setup before you start making your changes.