8 Replies Latest reply: Dec 12, 2013 2:41 PM by damageinc RSS

    HIPS Signature 8000

    damageinc

      Two questions:

       

      1. Why was there an out of cycle content update on November 21st?

       

      2. Who's idea was it to put signature 8000 in a blocking (low) severity in this content update?  This seems to block anyone from opening a PDF.  We received over 50,000 events from people being blocked from opening PDFs today.

       

      Can someone from McAfee explain how this signature was tested?  I never realized that a user opening a PDF was actually a remote code execution attack.

       

      Message was edited by: damageinc on 11/22/13 3:10:20 PM CST
        • 1. Re: HIPS Signature 8000
          cheitman

          We also experienced major problems with HIPS 8 Signature 8000 (and 8001 and 8002).  The SNS bulletin indicated that these signatures were to be released in informational status, but they were set to Low.  We also found this situation to be unacceptable, as it created an unexpected and substantial disruption to our enterprise environment.

           

          on 11/25/13 2:24:35 PM CST
          • 2. Re: HIPS Signature 8000
            Kary Tankink

            Some comments below:

             

             

             

            1. Why was there an out of cycle content update on November 21st?

             

            The HIPS 5221 Content is a re-release of the November 2013 content after the Java signature issue was removed (Sig 6666), which caused the issue in KB79755.


            KB79755 - Internet Explorer Java applications fail after updating to Host IPS November security content version 5209

             

             

            2. Who's idea was it to put signature 8000 in a blocking (low) severity in this content update?

             

            Default severities are set by the Host IPS Content team.

             

             

            Can someone from McAfee explain how this signature was tested

             

            I don't have information on this.

             

             

            The SNS bulletin indicated that these signatures were to be released in informational status, but they were set to Low.

            This was a documentation issue, and has been corrected.

             

            http://www.mcafee.com/us/resources/release-notes/hips/hips_21_11_2013.pdf

             

            [New] Signature 8000: Remote Code Execution Attack

            Description:

            - This event indicates a remote code execution attack

            - This signature is set at level ‘Low’ and in later releases planned to be set at higher levels.

             

            [New] Signature 8001: Suspicious Remote Code Execution Attack

            Description:

            - This event indicates a suspicious remote code execution attack.

            - This signature is set at level ‘Low’ and in later releases planned to be set at higher levels.

             

             

            • 3. Re: HIPS Signature 8000
              damageinc

              Kary,

               

              Do you have any advice for tuning these signatures?  May I suggest that McAfee only release new signatures in an informational status, and then upgrade them when they're for certain not going to block normal activities like opening PDFs?

               

              At this point, I don't see what the point of leaving this signature enabled is.

               

              Thanks,

              Damageinc

              • 4. Re: HIPS Signature 8000
                Kary Tankink

                Do you have any advice for tuning these signatures?

                I don't have any specific advice, sorry.

                 

                May I suggest that McAfee only release new signatures in an informational status
                Default signature severities are determined by our Content team (e.g., high severity vulnerabilities may set signatures to HIGH by default), but if you'd like, you can always change these signatures in your environment to whatever severity level you'd like.  With HIPS 8.0, edit your IPS Rules policy, select all the signatures you want to change, and select the Edit Multiple option.  You can set this right after you download the HIPS content to the ePO Master Repository, but before the clients get the content update.

                • 5. Re: HIPS Signature 8000
                  greatscott

                  Management sees a shiny new signature, and wants to leverage it immediately. In reality the signature has no discernable function, other than to block people from opening any PDF. I understand it isn't your fault, Kary. We all have our own internal processes, in our respective organizations which we may not agree with, but have to live with. When we have to go to management and plead our case to turn it off, it's just an eternal struggle. Far be it for us to explain why we want to turn off a vendor signature, but we need to keep availability in mind too.

                  • 6. Re: HIPS Signature 8000
                    damageinc

                    I was forwarded an SNS notice today that the latest HIPS content update for December was delayed by a couple days, and that signatures 8000, 8001, and 8002 are being removed due to "issues".  I wonder what those issues were.

                    • 7. Re: HIPS Signature 8000
                      cheitman

                      Kary Tankink wrote:

                       

                      The SNS bulletin indicated that these signatures were to be released in informational status, but they were set to Low.

                       

                      This was a documentation issue, and has been corrected.

                       

                      http://www.mcafee.com/us/resources/release-notes/hips/hips_21_11_2013.pdf

                       

                      [New] Signature 8000: Remote Code Execution Attack

                      Description:

                      - This event indicates a remote code execution attack

                      - This signature is set at level ‘Low’ and in later releases planned to be set at higher levels.

                       

                      [New] Signature 8001: Suspicious Remote Code Execution Attack

                      Description:

                      - This event indicates a suspicious remote code execution attack.

                      - This signature is set at level ‘Low’ and in later releases planned to be set at higher levels.

                       

                       

                      Might I suggest that documentation updates of this nature be broadcast to the field via SNS, instead of being quietly corrected in the background?  Most people read the SNS notifications and then act on that information.  They do not constantly refer back to the website to see if an SNS bulletin has been quietly updated.

                       

                      The fact is that McAfee released a set of signatures (turns out they were rather problematic) and notified the field that they would be set in informational.  Those signatures were, in fact, set to low status.  When McAfee noticed that the information they used to inform the field was wrong, instead of sending out an update, they updated documentation on the website.  This is not the professional way to handle such things.  We understand errors occur - we all make them.  However, by not notifying the field in the same manner as the original notification, McAfee reduced the chances of  organizations proactively addressing this issue, instead of having to wait for the flood of trouble calls to come in. 

                      • 8. Re: HIPS Signature 8000
                        damageinc

                        I wholeheartedly agree with cheitman.

                         

                        Although I'd like to add that it would be even nicer if there was some basic testing done to all signatures to make sure they don't block one of the three or so most frequently performed actions on any computer.