4 Replies Latest reply on Feb 7, 2014 9:04 AM by shakira

    Is it the case that HIPS works only on "Executable" file types

    djcabz

      I do not recall reading anywhere that it definitively states that HIPS works _only_ on executable files, such as a .exe or .com.

       

      So my question is whether HIPS is able to identify the MD5 of interpreted binary files such as jpegs, cabinet file or mp3s to prevent read operations?

       

      Basically if there is a particular MP3 file and I am told to "stop the employee population from listening to it", can a signature be written that prevents the MP3s hash from being read.

       

      Again, focusing on the MP3 (or JPEG or CAB) and NOT the program that would interpret it, such as WinAMP or Media Player (or Irfan or 7zip)?

       

      Thanks in advance!

        • 1. Re: Is it the case that HIPS works only on "Executable" file types
          Kary Tankink

          Basically if there is a particular MP3 file and I am told to "stop the employee population from listening to it", can a signature be written that prevents the MP3s hash from being read.

          This is outside the scope of HIPS.  MD5 hashes are used for executable files.  A custom IPS signature could probably be used to prevent READ access to a (MP3) file (never tried it myself), but it would be based on path/filename only (not MD5 hashes).

          1 of 1 people found this helpful
          • 2. Re: Is it the case that HIPS works only on "Executable" file types
            djcabz

            "This is outside the scope of HIPS"  - I can agree with that assessment; albeit not what I was expecting. 

             

            I thought you/someone would say, "Sure, you just have to use this expert rule to affect files that do not make any OS/System calls themselves and are effectively just stores of specific data interpreted by an application that does in fact make OS/System Calls..."

             

            Just saying, you could've lied to me is all... 

             

            On the more serious side, thank you for the rapid response.

            • 3. Re: Is it the case that HIPS works only on "Executable" file types
              Kary Tankink

              I thought you/someone would say, "Sure, you just have to use this expert rule to affect files that do not make any OS/System calls themselves and are effectively just stores of specific data interpreted by an application that does in fact make OS/System Calls..."

               

              Just saying, you could've lied to me is all... 

              Maybe that would have a been a much more exciting conversation to dangle that carrot in front of you.

               

              I checked the Solidcore (Change Control) product and for READ PROTECT rules, it too is PATH/FILENAME only.

              • 4. Re: Is it the case that HIPS works only on "Executable" file types
                shakira

                Stinks doesn't it? Probably the most useful, high fidelity (non falase positive) indication of a file name being bad is its hash. Where is our product or ability to simply watch every hash on a machine and compare it to our known bad list? It seems so simple.

                 

                You might want to check out McAfee GTI Proxy though. It can take in a list of hashes and use on-access scan to look for them (I believe). Sadly it deletes and blocks them ONLY. No logging or alerting and being able to grab the file for analysis or reverse engineering. Kind of defeats the purpose depending on what you are doing.

                 

                Tanium may have some round about way to look for hashes as well since, "if you can script it you can do it" is part of their motto I believe. I'm not sure how well it scales when the list becomes large though. Waiting to hear how well their ioc funnel will work.

                 

                Message was edited by: shakira on 2/7/14 9:04:11 AM CST