Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
630 Views 5 Replies Latest reply: Jul 26, 2013 1:19 PM by damageinc RSS
greatscott Champion 287 posts since
Jul 18, 2011
Currently Being Moderated

Jun 14, 2013 1:01 PM

6015 signature

After the recent HIPS content update, we are seeing a large amount of false positive events generating from the 6015 signature. It seems that most of the threat source process names are pertaining to Citrix processes. Just wanted to see if anyone else was seeing the same after the signature was modified again.

  • damageinc Apprentice 51 posts since
    Nov 22, 2011
    Currently Being Moderated
    1. Jul 26, 2013 9:44 AM (in response to greatscott)
    Re: 6015 signature

    I'm also having a tough time with this signature since the last content update.  It seems that every time there's a content update we have problems with this signature blocking new things.  I'm on the verge of disabling it permanently.  Can someone from McAfee explain the value of this signature for us?

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    2. Jul 26, 2013 10:39 AM (in response to damageinc)
    Re: 6015 signature

    KB59683 - Host Intrusion Prevention 7.0 Content Analysis: IPS Signature 432 - Suspicious Function Invocation

  • damageinc Apprentice 51 posts since
    Nov 22, 2011
    Currently Being Moderated
    3. Jul 26, 2013 12:17 PM (in response to Kary Tankink)
    Re: 6015 signature

    Kary,

     

    I've read over the KB provided, and yes, it does describe the signature, so thank you for posting that.  However, upon looking at it, the KB also links to another article (KB60989) about the HIPS 7 incompatibility with Citrix Edgesight due to signature 432.  McAfee recommends disabling 432 on these servers.

     

    Since we're getting issues with 6015 (which is a replacement for 432) on Citrix servers, is it McAfee's recommendation to disable 6015 on Citrix servers?  If so, is advisable to simply create a blanket exception for 6015 for any Citrix process?  I would rather have one IPS rules policy rather than two if necessary.

     

    Thanks in advance.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    4. Jul 26, 2013 12:31 PM (in response to damageinc)
    Re: 6015 signature

    is it McAfee's recommendation to disable 6015 on Citrix servers?

    IPS exception may work if Citrix processes are triggering this signature, but I have not seen any recommendations of just disabling this signature entirely or just a blanket exception for Citrix processes and this signature.  You might want to open a Service Request to get these reviewed as possible false positives though (need a debug HIPS MER).  Make sure you have the latest HIPS Content applied and that you are using the "McAfee Default" policies for Trusted Applications and IPS Rules in your policy assignments, in addition to any custom policies you have assigned.

  • damageinc Apprentice 51 posts since
    Nov 22, 2011
    Currently Being Moderated
    5. Jul 26, 2013 1:19 PM (in response to Kary Tankink)
    Re: 6015 signature

    From https://kc.mcafee.com/corporate/index?page=content&id=KB60989...

    Solution

    McAfee recommends that you disable Application Protection Signature 432 on systems that run Citrix EdgeSight.

     

    According to KB59683, signature 432 has been made into 6012 and 6015 in HIPS 8.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points