Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1604 Views 16 Replies Latest reply: Oct 15, 2013 9:25 AM by greatscott RSS 1 2 Previous Next
dmease729 Champion 267 posts since
Jul 22, 2011
Currently Being Moderated

Sep 2, 2013 5:52 AM

Can meaningful exceptions be configured for signature 1226?

Hi,

 

A bit of background before the actual question, which in summary is "Can meaningful exceptions be configured for signature 1226?".  I am also sigs 531 and 532 into this as well, as I am running into the same problem.

 

Host IPS8.0 currently running in adaptive mode.  To confirm adaptive mode was operating as required, I tweaked signature 413 (severity and client rules settings), copied calc.exe to calc.xls.exe, and then ran the new executable.  Sent the props, and run the property translater task, and hey presto it is sitting in ePO as an IPS client rule.

 

Now I know that I ran the executable from Windows Explorer, so what I am seeing makes sense.  The description of the signature in question (snipped) is:

 

"...This event indicates that a file with two extensions (such as readme.txt. exe) was run..."
"...To execute legal programs that contain multiple extensions ... ... create an exception for this security event so that your trusted file is exempt from triggering this signature."

 

So coming back to the fact that I know what happened, examining a few fields in the client rule generated:

 

Full executable name: C:\WINDOWS\EXPLORER.EXE
Secondary Full executable name: C:\TEMP\CALC.XLS.EXE

 

Makes sense!  If I see something else along these lines that I have initiated, I will have all of the information to act, either initiating a security incident or creating relevant exceptions.

 

While I was testing, there were a number of other things happening in the background, and I noted some other client rules generated:

 

Sig ID: 1226 (...MS IIS process has tried to modify a file outside its own directory...)
Full executable name: C:\WINDOWS\SYSWOW64\INETSRV\W3WP.EXE
<Other information deemed helpful in this case>: none
<Further information obtainable from HIPS console on target server>: none

 

So... do I take it from this that if the action is legitimate, we can only configure an exception for W3WP.EXE as a whole, no matter what it is trying to modify, as we dont know in this instance what it has tried to modify?  There is no way to add an exclusion to say 'W3WP.EXE can modify X, Y and Z, but that is all'?

 

cheers,

  • greatscott Champion 287 posts since
    Jul 18, 2011

    yes, you can create exceptions for 1226 without using just the executable as a whole. for some reason i have had some issues with this signature though. first what you would do is look at a 1226 event. as you noted, it will be w3wp.exe as the threat source process name attempting to modify some other arbitrary file path. to find this path, look at the event in ePO, at the bottom under "Host IPS 8.0 Event Information". This path will be listed as "Files"

     

    Once you have these bits of data, (the signature, threat source process name, and file), you can create the exception. In the exception, specify the signature, put the threat source process name in as the "executable", and your "files" will go under the parameters section in the exceptions builder.

     

    so your answer is yes, you can specify that w3wp.exe can only modify x,y and z. you have to specify x,y, and z in the "parameters" section of the exceptions builder.

  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009

    Part of the problem is running the IPS module in Adaptive mode. You should NEVER use Adaptive mode to discover what exceptions you need. That's the wrong use case. You only use Adaptive mode for very short periods to get the format of the client exception correct. Adaptive mode basically creates rules for every non-exploit event. And that's definitely not what you want. Everyone downloads the best practices guide and then promptly ignores what it says (assuming they actually read it in the first place)...

  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009

    And there are no meaningful exclusions for this particular rule. I find it extremely annoying and have classified it as a "junk" rule. It is one of several I commonly disable. It might have worked circa 2005 when it was created. Now it just causes issues.

  • greatscott Champion 287 posts since
    Jul 18, 2011

    dmease, i wasnt saying in the client rule, im talking about if you have adaptive mode turned OFF and you see a 1226 event come into ePO in the Threat Event log. Click into the specific 1226 event in ePO. Look toward the bottom for the advanced parameter data. You will see the section I am talking about. It will generally have a Files section, subject distinguished name, etc. That "files" section will yield the file name for the advanced parameter you are looking for.

     

    Or you can heed Peter's advice and chalk it up to being a "Junk" rule. 

  • greatscott Champion 287 posts since
    Jul 18, 2011

    i dont particularly subscribe to the whole "adaptive mode" deal. i like creating the exceptions without all the tertiary crap that gets put into exceptions that are created automatically.

     

    back to the 1226 and w3wp.exe talk. i feel like right on the same day that the HIPS content update was released last month (14 august 2013), we had a definite inflection in w3wp.exe events, for several threat names. the content update did not include any of the threat names that are firing in the graph below, but i cant help but think they were somehow modified. the lines are threat target hostnames, and they are IIS servers, also these events are filtered by w3wp.exe threat source process name.

     

    so, sequence of events:

    1. 14 August 2013 - HIPS content was released

    2. 15 August 2013 - Major inflection of w3wp.exe related events on all IIS servers

    3. 2 September 2013 - People making posts about how to tune 1226 and w3wp.exe (could just be coincidental)

     

    Inflection:

     

    w3wp.png

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010

    dmease729 wrote:

     

    Peter - I dont understand the comment "You only use Adaptive mode for very short periods to get the format of the client exception correct." - If it is for formatting purposes only, what is the point of adaptive mode.  The best practise section in the install guide clearly states:

     

    To explain it a little further, IPS Adaptive mode is limited in its use.  It can be used for creating IPS exceptions automatically, but when you add these IPS Client Rules to your policy, they need to be tweaked.  You don't just add every client rule in as necessary.  If one signature violations for 10 applications, you don't add each unique client rule to your policy.  You might add one IPS exception, and add 10 different applications (granted, you're only adding Signature and Application details; more IPS Parameters details will require more IPS exceptions to be created).  This is how you "optimize" your policy.  Another example would be 1 Signature, 1 Application, but 10 different files or registry parameters.  Again, you don't want to create multiple IPS exceptions for you; you'd want to try to "group" these violations into a more general exception.  You CAN create many exceptions, depending on different factors of the violation (if an IPS exception requires some specific parameters to be used), but generally, you want to make the exceptions broad.  Like Firewall Rules, the more specific you make the rule/exception, the more rules you are going to need to effectively manage your policy.  An example for Firewall Rules would be something like:  1) create a Firewall policy that allows all Outbound traffic, but only limited Inbound, or 2) create a Firewall Rule that has limited Outgoing and limited Incoming.  The #1 policy is not going to be as big as policy #2, but it won't be as secure.  In managing your IPS and FW policies, you'll need to find a balance of this.

     

    Also, with IPS Adaptive mode, the Signature has to allow Adaptive mode functionality.  If you look at the IPS Signatures, there is a option.  Many IPS signatures have this disabled, which means, Adaptive mode will not work for that signature at all (unless you change it).  Rather than using Adaptive mode for IPS to automatically create IPS exceptions that you tweak, you can instead use the IPS event to manually create the same IPS exception, then tweak afterwards.  Due to this, I typically suggest not using Adaptive mode to create automatic exceptions, and suggest instead to just find the IPS event and create the exception off of that.  Either way, you get the same IPS Client Rule added to your policy, that you then have to tweak further.

  • damageinc Apprentice 51 posts since
    Nov 22, 2011

    Scott,

     

    Thanks for posting the info about the last content update.  I also saw a massive blow up in the IIS-related events that started on the date of the most recent content update.  I wonder if there was a phantom update to this signature, because they were not listed in the August content update.

     

    Secondly, if a McAfee employee is on the record on the forums as saying a certain signature is "junk", then why does this signature even exist?

     

    -DamageInc

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points