Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
487 Views 7 Replies Latest reply: Mar 12, 2014 10:17 AM by rothman RSS
rothman Newcomer 27 posts since
Jul 23, 2013
Currently Being Moderated

Feb 6, 2014 3:02 PM

HIPS 8 Expert Sub Rules

Beating my head against my desk here... hopefully someone can help.

 

I'm attempting to add a custom signature to my HIPS 8 policy for our endpoints which essentially need to be locked down.  We've received some tips from our SE, but like others have mentioned... the documentation for creating expert sub rules is terrible / basically non-existant.  So, onto the issue:

 

The sub rule I'm attempting to make is one that will block all unsigned executables, except for a list (unfortunately large) of known, unsigned, executables.  An example of the sub rules is below:

 

Rule {

tag "Prevent run of unknown executables (<parent folder name>)"

Class Program

Id 4024

level 4

Target_Executable { Exclude { -sdn "*=*" } }

Target_Executable { Exclude { -path "c:\\<parent folder>\\<child folder>\\program1.exe" } }

Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program2.exe" } }

Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program3.exe" } }

Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program4.exe" } }

directives program:run

}

 

Now, what I've discovered is that the only way I can get the excludes to work is to shorten the path parameter to something like c:\\*\\program1.exe which is pretty bad imo.

 

Second, and probably more important, is that we have somewhere in the range of 160 unsigned executables (I know, I know...) which need to be 'white-listed' in this signature.  We believe the javascript in the console is setting the character limit for the textbox input to only allow for about 30 excludes per sub rule.  That bit isn't so much the problem (I simply created something like 18 separate sub rules), but what is a problem is that it appears when the signature triggers, it does not compile all of the separate sub rules into one ... I'm almost thinking it steps through each sub rule individually which defeats the whole point of having mulitple sub rules.

 

Can someone explain what is happening when the signature triggers as it relates to the sub rules?  If I were to at least understand that much, then I could perhaps work with it better to make it do what I want.

 

I have also reviewed the following community posts, KBs and documents, but if I missed something, I would be more than gracious if someone showed me what I overlooked:

 

https://community.mcafee.com/message/317037

https://community.mcafee.com/message/277168

 

https://kc.mcafee.com/corporate/index?page=content&id=KB70652

https://kc.mcafee.com/corporate/index?page=content&id=KB71329

 

http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/2 2000/PD22894/en_US/Host%20Intrusion%20Prevention%20800%20Product%20Guide%20for%2 0ePO%20450.pdf

 

Thanks to all in advance!

-Andy

 

Message was edited by: rothman on 2/6/14 3:02:37 PM CST
  • rackroyd McAfee Mentor 956 posts since
    Feb 3, 2010
    Currently Being Moderated
    1. Feb 10, 2014 2:56 AM (in response to rothman)
    Re: HIPS 8 Expert Sub Rules

    ~ Moved to hips group for better attention.

  • greatscott Champion 294 posts since
    Jul 18, 2011
    Currently Being Moderated
    2. Feb 11, 2014 9:30 AM (in response to rothman)
    Re: HIPS 8 Expert Sub Rules

    What are you actually detecting with the signature you are trying to create? All I see is exclude rules for executables. It would seem to me that you should let the whitelisted applications run, and create exceptions for them in your IPS rules policy.

     

    However, assuming you are actually blocking something, all of your "exclude" rules would need to be in one single subrule. For example, you are trying to whitelist your C:\parentfolder file path (note, i added an include rule):

     

    Rule {

    tag "Prevent run of unknown executables (<parent folder name>)"

    Class Program

    Id 4024

    level 4

    Target_Executable { Include {-path "C:\\parentfolder\\"}

    Target_Executable { Exclude { -sdn "*=*" } }

    Target_Executable { Exclude { -path "c:\\<parent folder>\\<child folder>\\program1.exe" } }

    Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program2.exe" } }

    Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program3.exe" } }

    Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program4.exe" } }

    directives program:run

    }

     

    OR

     

     

    Rule {

    tag "Prevent run of unknown executables (<parent folder name>)"

    Class Program

    Id 4024

    level 4

    Target_Executable { Include {-path "C:\\parentfolder\\"}

    Target_Executable { Exclude { -sdn "*=*" } }

    Target_Executable { Exclude { -path "c:\\<parent folder>\\<child folder>\\program5.exe" } }

    Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program6.exe" } }

    Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program7.exe" } }

    Target_Executable { Exclude { -path "c:\\ <parent folder>\\<child folder>\\program8.exe" } }

    directives program:run

    }

     

    Looking at this, it is my assumption that program1.exe all the way through program8.exe would be blocked, since they dont all reside in one subrule.

  • greatscott Champion 294 posts since
    Jul 18, 2011
    Currently Being Moderated
    4. Feb 11, 2014 10:44 AM (in response to rothman)
    Re: HIPS 8 Expert Sub Rules

    Have you tried using signatures 6010 and/or 6011? Might prevent you from having to reinvent the wheel, but as you said, these may cause too much overhead for your systems.

  • greatscott Champion 294 posts since
    Jul 18, 2011
    Currently Being Moderated
    6. Feb 11, 2014 11:25 AM (in response to rothman)
    Re: HIPS 8 Expert Sub Rules

    i am not sure that the patch level matters, i assumed it worked for all of hips 8? with regard to how to except, you would just make exceptions when you see events come in for 6011. You can also make this a ton easier by excepting via digital signer. For example, when you add exceptions for the microsoft digital signature, you eliminate most of the events right off the bat. then you can add other digital signatures, and then be left with your other 160ish applications you mentioned, which you could create exceptions for individually.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points