Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
5299 Views 10 Replies Latest reply: Apr 20, 2014 2:56 AM by epository RSS 1 2 Previous Next
epository Apprentice 89 posts since
Jan 23, 2010
Currently Being Moderated

Nov 12, 2013 7:45 AM

HIPS signatures for Application Whitelisting still triggering on exempted Digital Signatures

All,

 

I decided to give Application Whitelisting a try in our environment.

 

After several weeks, I created a policy with a fair number of exceptions include a 6010 and 6011 rule that had about 15 digital signatures...these were added as both "Executable" and "Target Executable".

 

With that rule and a few others, I was able to get my number of HIPS events down from 44k per day to about 1k per day; however, I am still getting 6010 &  6011 events from a couple servers where the Executable and Target Executable are both Microsoft Signed Code...things like cmd.exe and mstsc.exe

 

I set logging to Debug but it just spits out so much info....I can see the violations, but no reason why...it merely says "AllowEx=False"...its doesnt seem to be triggering on all signed code, just some.

 

I have used the clientcontrol.exe for a couple commands like

 

clientcontrol.exe /log 0 4 to get the except_db file to generate and I have pored over that.

 

I also used clientcontrol.exe /exportconfig <PATH> 4 to get the list of exceptions.

 

The only think I can kind of see is that it appears the except_db.exe goes thru all the .exe's on a computer and determines whether they are exempt or not based on whatever exception criterial you have created.

 

It also appears to go to your "Trusted Programs" list and creates a list of those as well and denotes what signatures they are exempt for.

 

So, in my case, neither spuchostservice.exe or cmd.exe show up in the except_db file leading me to believe something is amiss...how to fix it, I have no idea.

 

I am hoping someone out in EPO-land can tell me the reason for the except_db file and what I should be looking for.

  • greatscott Champion 293 posts since
    Jul 18, 2011

    Take a look in the Digital Signer Paths that you have added. Some will list the state as  "ST=WASHINGTON, C=US", and some will list it as "S=WASHINGTON, C=US". Could be a discrepancy here. And if i remember correctly, one will take care of both, but I cannot recall...

  • Kary Tankink McAfee Employee 659 posts since
    Mar 3, 2010

    greatscott wrote:

     

    Take a look in the Digital Signer Paths that you have added. Some will list the state as  "ST=WASHINGTON, C=US", and some will list it as "S=WASHINGTON, C=US". Could be a discrepancy here. And if i remember correctly, one will take care of both, but I cannot recall...

    That shouldn't be an issue here.  See:

     

    KB72290 - Host Intrusion Prevention 8.0 Extension normalizes digital signer data ("S=" is normalized to "ST=")

  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009

    I realize that it is possible to do some whitelisting with Host IPS. However, this is definitely not the product you should try this with. McAfee Application Control uses a model that is MUCH simpler than what was in HIPS. It is the difference in managing lists versus managing the rules for how a list changes. While this is a "supported' path that you are on, I have to respectfully and politlely say that I think it is nuts and a complete waste of time. It will consume between 10X and 100X more time to try this with Host IPS than it requires with MAC. If you were one of my customers directly (I have named accounts) I'd be having an intervention with you to help convince you to try this with the proper product.

  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009

    We didn't "add" the ability to Host IPS. it has been there since we bought it years ago. In fact, in later versions the GUI interface was completely removed. We purchased Solidcore several years ago and it provides vastly superior management of application control. What is in Host IPS will require several people to maintain on a regular basis and will provide inferior capabilities when it comes to determining if you accidentally placed the wrong item on the list. If I knew a way to convince the government to stop wasting my money I would. It really does require 10-100X the effort to maintain. That wasn't an exxageration at all. You will NEVER be done and will constantly fight getting whitelist complete.

     

    You are really using the wrong product here. This is the one you want to check out:

     

    http://www.mcafee.com/us/products/application-control.aspx

     

    As a commercial/enterprise person I probably lack the clearance or the contacts to help you with any "informing". There are other agencies that do use that product and there are definitely a lot of public companies that do.

  • greatscott Champion 293 posts since
    Jul 18, 2011

    I can sympathise with epository, and also concur with Peter. IPS shouldn't be used this way, and I severely doubt we will ever locate true positive data for a blocked application via 6010/6011. But as epository stated, some of us are hamstrung by requirements to use it, so we will. Tuning it is near impossible with any large environment, and our hopes of ever rolling these signatures to blocking is close to 0.

  • lrock Newcomer 36 posts since
    Dec 7, 2010

    @epository Interested in how things are going. I have put in several hours working on a Whitelist for HIPS 8 / Servers using a list of exe from each Server via:

     

    Dir /B /S *.exe>>drive\path\data.txt

     

    applying these to 6010 and 6011.

     

    Part of DoD, I also am not able to use McAfee Application Control at this time. That being said, we are also experimenting with Microsoft AppLocker for our workstations which has worked well so far in testing.

     

    Curious - in following the McAfee HIP's 8.0 DoD Methodology document, It's suggested that I create exceptions by path and not for every exe alone.

     

    example:

     

    instead of making an exception for every exe in system32, do

     

    c:\windows\system32\*.exe

     

    If your using the method also, do you find this to work well?

     

    Example:

     

    c:\Windows\Installer\{*}\*.exe

     

    Thanks

     

    Lrock

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points