Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
590 Views 2 Replies Latest reply: Aug 19, 2013 3:02 PM by Kary Tankink RSS
BobStasz Newcomer 34 posts since
Apr 1, 2010
Currently Being Moderated

Aug 19, 2013 12:48 PM

Trouble creating Host IPS exception in HIPs 8.0

HIPs 8.0 Host IPS blocking internet based application.  When all other features of HIPs active, application works fine, with Host IPS disabled.  Following entry in HipShield.log:

 

08-15 15:31:35 [03376] VIOLATION: [1] ------- Violation ---- Size 1385 ----

<Event> <!-- Level=High, Reaction=Prevent -->

  <EventData

  SignatureID="1003"

  SignatureName="Windows Agent Shielding - Process Access"

  SeverityLevel="4"

  Reaction="3"

  ProcessUserName="CROWE-CHIZEK\StaszewskiRA"

  Process="\DEVICE\HARDDISKVOLUME1\USERS\STASZEWSKIRA\APPDATA\LOCAL\SPOON\SERVERS \SPOON201322.BNAITWEB.COM\USERS\ANONYMOUS\SANDBOXES\PLANNER__0-0-0-0__EN-US__DEF AULT__ANYCPU\LOCAL\STUBEXE\0XE837C85DF226A26C\ITWIN.EXE"

  IncidentTime="2013-08-15 15:31:35"

  AllowEx="False"

  SigRuleClass="Program"

  ProcessId="10744"

  Session="1"

  SigRuleDirective="open_with_any"/>

  <Params>

    <Param name="Workstation Name" allowex="True">35743W64</Param>

    <Param name="Target File Name" allowex="False">MCAFEEFIRE.EXE</Param>

    <Param name="Target Path" allowex="False">C:\PROGRAM FILES\MCAFEE\HOST INTRUSION PREVENTION\MCAFEEFIRE.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=&quot;MCAFEE, INC.&quot;, OU=IIS, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;MCAFEE, INC.&quot;, L=SANTA CLARA, S=CALIFORNIA, C=US</Param>

    <Param name="Target Organization Name" allowex="False">&quot;MCAFEE, INC.&quot;</Param>

    <Param name="Target Description" allowex="False">MCAFEE HIP CLIENT USER INTERFACE</Param>

    <Param name="Target Fingerprint" allowex="False">ab3449a69446d5f421610edfb2471b9d</Param>

  </Params>

</Event>

 

I have attempted to create an IPS Excdption but cannot gte the exception entered properly in policy to allow the application to run successfully.  The application is BNa Income Tax Planner Web.

 

I am always having difficulty generating successful IPS Exception rules.  Any assistance would be very welcomed.

  • greatscott Champion 283 posts since
    Jul 18, 2011
    Currently Being Moderated
    1. Aug 19, 2013 2:41 PM (in response to BobStasz)
    Re: Trouble creating Host IPS exception in HIPs 8.0

    I would suggest going into the event, clicking "Action" and selecting "New Exception (HIPS 8.0)". There are sometimes unexplainable issues with manual exception creation.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    2. Aug 19, 2013 3:02 PM (in response to BobStasz)
    Re: Trouble creating Host IPS exception in HIPs 8.0

    Creating IPS exceptions for Signature 1000-1003 is not recommended, as these are the HIPS self-protection signatures.  These signature prevent users/applications from gaining access to HIPS files/registry/process activity.  Instead, find a way to prevent the 3rd party application from triggering the signature (through its own configuration; exclusions, etc.)

     

    Creating exceptions for Sig 1000-1003 can compromise the HIPS product functionality (i.e., 3rd party could gain access to modify the HIPS process in memory, or files, or registry, etc.).

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points