2 Replies Latest reply: Aug 19, 2013 3:02 PM by Kary Tankink RSS

    Trouble creating Host IPS exception in HIPs 8.0

    BobStasz

      HIPs 8.0 Host IPS blocking internet based application.  When all other features of HIPs active, application works fine, with Host IPS disabled.  Following entry in HipShield.log:

       

      08-15 15:31:35 [03376] VIOLATION: [1] ------- Violation ---- Size 1385 ----

      <Event> <!-- Level=High, Reaction=Prevent -->

        <EventData

        SignatureID="1003"

        SignatureName="Windows Agent Shielding - Process Access"

        SeverityLevel="4"

        Reaction="3"

        ProcessUserName="CROWE-CHIZEK\StaszewskiRA"

        Process="\DEVICE\HARDDISKVOLUME1\USERS\STASZEWSKIRA\APPDATA\LOCAL\SPOON\SERVERS \SPOON201322.BNAITWEB.COM\USERS\ANONYMOUS\SANDBOXES\PLANNER__0-0-0-0__EN-US__DEF AULT__ANYCPU\LOCAL\STUBEXE\0XE837C85DF226A26C\ITWIN.EXE"

        IncidentTime="2013-08-15 15:31:35"

        AllowEx="False"

        SigRuleClass="Program"

        ProcessId="10744"

        Session="1"

        SigRuleDirective="open_with_any"/>

        <Params>

          <Param name="Workstation Name" allowex="True">35743W64</Param>

          <Param name="Target File Name" allowex="False">MCAFEEFIRE.EXE</Param>

          <Param name="Target Path" allowex="False">C:\PROGRAM FILES\MCAFEE\HOST INTRUSION PREVENTION\MCAFEEFIRE.EXE</Param>

          <Param name="Target Distinguished Name" allowex="False">CN=&quot;MCAFEE, INC.&quot;, OU=IIS, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;MCAFEE, INC.&quot;, L=SANTA CLARA, S=CALIFORNIA, C=US</Param>

          <Param name="Target Organization Name" allowex="False">&quot;MCAFEE, INC.&quot;</Param>

          <Param name="Target Description" allowex="False">MCAFEE HIP CLIENT USER INTERFACE</Param>

          <Param name="Target Fingerprint" allowex="False">ab3449a69446d5f421610edfb2471b9d</Param>

        </Params>

      </Event>

       

      I have attempted to create an IPS Excdption but cannot gte the exception entered properly in policy to allow the application to run successfully.  The application is BNa Income Tax Planner Web.

       

      I am always having difficulty generating successful IPS Exception rules.  Any assistance would be very welcomed.

        • 1. Re: Trouble creating Host IPS exception in HIPs 8.0
          greatscott

          I would suggest going into the event, clicking "Action" and selecting "New Exception (HIPS 8.0)". There are sometimes unexplainable issues with manual exception creation.

          • 2. Re: Trouble creating Host IPS exception in HIPs 8.0
            Kary Tankink

            Creating IPS exceptions for Signature 1000-1003 is not recommended, as these are the HIPS self-protection signatures.  These signature prevent users/applications from gaining access to HIPS files/registry/process activity.  Instead, find a way to prevent the 3rd party application from triggering the signature (through its own configuration; exclusions, etc.)

             

            Creating exceptions for Sig 1000-1003 can compromise the HIPS product functionality (i.e., 3rd party could gain access to modify the HIPS process in memory, or files, or registry, etc.).