5 Replies Latest reply: Jul 26, 2013 1:19 PM by damageinc RSS

    6015 signature


      After the recent HIPS content update, we are seeing a large amount of false positive events generating from the 6015 signature. It seems that most of the threat source process names are pertaining to Citrix processes. Just wanted to see if anyone else was seeing the same after the signature was modified again.

        • 1. Re: 6015 signature

          I'm also having a tough time with this signature since the last content update.  It seems that every time there's a content update we have problems with this signature blocking new things.  I'm on the verge of disabling it permanently.  Can someone from McAfee explain the value of this signature for us?

          • 2. Re: 6015 signature
            Kary Tankink

            KB59683 - Host Intrusion Prevention 7.0 Content Analysis: IPS Signature 432 - Suspicious Function Invocation

            • 3. Re: 6015 signature



              I've read over the KB provided, and yes, it does describe the signature, so thank you for posting that.  However, upon looking at it, the KB also links to another article (KB60989) about the HIPS 7 incompatibility with Citrix Edgesight due to signature 432.  McAfee recommends disabling 432 on these servers.


              Since we're getting issues with 6015 (which is a replacement for 432) on Citrix servers, is it McAfee's recommendation to disable 6015 on Citrix servers?  If so, is advisable to simply create a blanket exception for 6015 for any Citrix process?  I would rather have one IPS rules policy rather than two if necessary.


              Thanks in advance.

              • 4. Re: 6015 signature
                Kary Tankink

                is it McAfee's recommendation to disable 6015 on Citrix servers?

                IPS exception may work if Citrix processes are triggering this signature, but I have not seen any recommendations of just disabling this signature entirely or just a blanket exception for Citrix processes and this signature.  You might want to open a Service Request to get these reviewed as possible false positives though (need a debug HIPS MER).  Make sure you have the latest HIPS Content applied and that you are using the "McAfee Default" policies for Trusted Applications and IPS Rules in your policy assignments, in addition to any custom policies you have assigned.

                • 5. Re: 6015 signature

                  From https://kc.mcafee.com/corporate/index?page=content&id=KB60989...


                  McAfee recommends that you disable Application Protection Signature 432 on systems that run Citrix EdgeSight.


                  According to KB59683, signature 432 has been made into 6012 and 6015 in HIPS 8.