Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
965 Views 8 Replies Latest reply: Dec 12, 2013 2:41 PM by damageinc RSS
damageinc Apprentice 51 posts since
Nov 22, 2011
Currently Being Moderated

Nov 22, 2013 3:10 PM

HIPS Signature 8000

Two questions:

 

1. Why was there an out of cycle content update on November 21st?

 

2. Who's idea was it to put signature 8000 in a blocking (low) severity in this content update?  This seems to block anyone from opening a PDF.  We received over 50,000 events from people being blocked from opening PDFs today.

 

Can someone from McAfee explain how this signature was tested?  I never realized that a user opening a PDF was actually a remote code execution attack.

 

Message was edited by: damageinc on 11/22/13 3:10:20 PM CST
  • cheitman Newcomer 4 posts since
    Jul 22, 2013
    Currently Being Moderated
    1. Nov 25, 2013 2:24 PM (in response to damageinc)
    Re: HIPS Signature 8000

    We also experienced major problems with HIPS 8 Signature 8000 (and 8001 and 8002).  The SNS bulletin indicated that these signatures were to be released in informational status, but they were set to Low.  We also found this situation to be unacceptable, as it created an unexpected and substantial disruption to our enterprise environment.

     

    on 11/25/13 2:24:35 PM CST
  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    2. Nov 25, 2013 2:59 PM (in response to cheitman)
    Re: HIPS Signature 8000

    Some comments below:

     

     

     

    1. Why was there an out of cycle content update on November 21st?

     

    The HIPS 5221 Content is a re-release of the November 2013 content after the Java signature issue was removed (Sig 6666), which caused the issue in KB79755.


    KB79755 - Internet Explorer Java applications fail after updating to Host IPS November security content version 5209

     

     

    2. Who's idea was it to put signature 8000 in a blocking (low) severity in this content update?

     

    Default severities are set by the Host IPS Content team.

     

     

    Can someone from McAfee explain how this signature was tested

     

    I don't have information on this.

     

     

    The SNS bulletin indicated that these signatures were to be released in informational status, but they were set to Low.

    This was a documentation issue, and has been corrected.

     

    http://www.mcafee.com/us/resources/release-notes/hips/hips_21_11_2013.pdf

     

    [New] Signature 8000: Remote Code Execution Attack

    Description:

    - This event indicates a remote code execution attack

    - This signature is set at level ‘Low’ and in later releases planned to be set at higher levels.

     

    [New] Signature 8001: Suspicious Remote Code Execution Attack

    Description:

    - This event indicates a suspicious remote code execution attack.

    - This signature is set at level ‘Low’ and in later releases planned to be set at higher levels.

     

     

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    4. Nov 26, 2013 11:14 AM (in response to damageinc)
    Re: HIPS Signature 8000

    Do you have any advice for tuning these signatures?

    I don't have any specific advice, sorry.

     

    May I suggest that McAfee only release new signatures in an informational status
    Default signature severities are determined by our Content team (e.g., high severity vulnerabilities may set signatures to HIGH by default), but if you'd like, you can always change these signatures in your environment to whatever severity level you'd like.  With HIPS 8.0, edit your IPS Rules policy, select all the signatures you want to change, and select the Edit Multiple option.  You can set this right after you download the HIPS content to the ePO Master Repository, but before the clients get the content update.

  • greatscott Champion 287 posts since
    Jul 18, 2011
    Currently Being Moderated
    5. Nov 27, 2013 12:38 PM (in response to damageinc)
    Re: HIPS Signature 8000

    Management sees a shiny new signature, and wants to leverage it immediately. In reality the signature has no discernable function, other than to block people from opening any PDF. I understand it isn't your fault, Kary. We all have our own internal processes, in our respective organizations which we may not agree with, but have to live with. When we have to go to management and plead our case to turn it off, it's just an eternal struggle. Far be it for us to explain why we want to turn off a vendor signature, but we need to keep availability in mind too.

  • cheitman Newcomer 4 posts since
    Jul 22, 2013
    Currently Being Moderated
    7. Dec 12, 2013 1:29 PM (in response to Kary Tankink)
    Re: HIPS Signature 8000

    Kary Tankink wrote:

     

    The SNS bulletin indicated that these signatures were to be released in informational status, but they were set to Low.

     

    This was a documentation issue, and has been corrected.

     

    http://www.mcafee.com/us/resources/release-notes/hips/hips_21_11_2013.pdf

     

    [New] Signature 8000: Remote Code Execution Attack

    Description:

    - This event indicates a remote code execution attack

    - This signature is set at level ‘Low’ and in later releases planned to be set at higher levels.

     

    [New] Signature 8001: Suspicious Remote Code Execution Attack

    Description:

    - This event indicates a suspicious remote code execution attack.

    - This signature is set at level ‘Low’ and in later releases planned to be set at higher levels.

     

     

    Might I suggest that documentation updates of this nature be broadcast to the field via SNS, instead of being quietly corrected in the background?  Most people read the SNS notifications and then act on that information.  They do not constantly refer back to the website to see if an SNS bulletin has been quietly updated.

     

    The fact is that McAfee released a set of signatures (turns out they were rather problematic) and notified the field that they would be set in informational.  Those signatures were, in fact, set to low status.  When McAfee noticed that the information they used to inform the field was wrong, instead of sending out an update, they updated documentation on the website.  This is not the professional way to handle such things.  We understand errors occur - we all make them.  However, by not notifying the field in the same manner as the original notification, McAfee reduced the chances of  organizations proactively addressing this issue, instead of having to wait for the flood of trouble calls to come in. 

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points