8 Replies Latest reply: Mar 13, 2014 7:03 PM by kjabney RSS

    HIPS blocking Outlook 2007 running as Admin

    wb3jma

      Win7 Outlook 2007 Exchange 2008 HIPS 8.0.0.2482

       

      Wtihout going into a lot of detail keep in mind I do not have acess to HBSS and the local consule admin does not have access to the EPO server and we will have to exhaust all possibilites at our end before we can escalate.

       

       

      Situation:

       

      We have a handful of users that have been granted local admin rights on their computers so they can run several apps that some files or folders need permissions above the standard user account. Recently Outlook is being blocked by HIPS when run as an admin. The log shows it' triggering Signature 2805.

       

      I have the dubious honor of trying to find away around this if at all, from content update for HIPS 4634 release notes it says this signature is disabled by default so obviously it been turned on. It also says the signature provides protection for Microsoft Outlook and Mozilla Thunderbird.

       

      So if the signature protects Outlook why is it triggering. 

       

      Secondly I have tried unsuccessfully to play with the Oulook.exe files permissions to see if I can give it the same permissions only in the admins group that only a standard user would have. Can that be done and I'm doing it wrong or is HIPS not fooled and recognizes that the object on the domain is an admin regardless and wpont let this Outllok open no matter waht you make that files permisions?

       

      Finally the local HBSS admin can he amnipulates this from the consule when he is not an admin for the EPO server?

       

      Thank You!

        • 1. Re: HIPS blocking Outlook 2007 running as Admin
          Kary Tankink

          Please ensure you're running the latest HIPS Content. 8.0.0.5451 just released.  If it's still an issue afterwards, contact McAfee Support for further assistance.

           

          http://www.mcafee.com/us/content-release-notes/host-intrusion-prevention/index.a spx

          • 2. Re: HIPS blocking Outlook 2007 running as Admin
            wb3jma

            Thx but I dont' control the EPO server and I can't wait around ofr the possibility that the update will clear the issue especially since I don't think the signature is bad just enabled from it's default of disabled and need a work arounf if possible.

            • 3. Re: HIPS blocking Outlook 2007 running as Admin
              greatscott

              Sounds like you need to talk to whoever administrates your ePO server. There is really no way around what you are talking about, unless you disable HIPS. Specifically for 2805, from my understanding, if your user account has an administrator group SID associated with it, and you are trying to run outlook.exe, the signature will fire. In your case, it sounds like its blocking, which may or may not have been changed by your ePO admin.

              • 4. Re: HIPS blocking Outlook 2007 running as Admin
                wb3jma

                Scott are you saying that HIPS recognizes that that user account on the domain is an admin and not just that particular app is running as admin and will block regardless because he is part of the admin group.

                 

                Message was edited by: wb3jma on 3/13/14 11:46:34 AM CDT
                • 5. Re: HIPS blocking Outlook 2007 running as Admin
                  greatscott

                  from my understanding, yes. if he were demoted to an unpriviledged user (not a local or domain admin), he would be able to launch outlook.exe with no issue.

                  • 6. Re: HIPS blocking Outlook 2007 running as Admin
                    wb3jma

                    Yes I realize that but is HIPS distinguishing between the app and the user? Does HIPS block becuase he is a local admin or doe sit block only because the app runs as admin. Would it be possible to remove admin rights from Outlook only and not trigger HIPS.

                    • 7. Re: HIPS blocking Outlook 2007 running as Admin
                      greatscott

                      looking at the sig definition again, I am not sure. i think mcafee could comment more.

                      • 8. Re: HIPS blocking Outlook 2007 running as Admin
                        kjabney

                        First, greatscot is dead on target in his first comment regarding contacting your administrator. If the signature is released from McAfee disabled and it has now been enabled, it was done through a policy change made by the ePO administrator which means it was done to enforce organizational policy. If there are legitimate operational requirements, the administrators can create exceptions to permit those operations. Opening a service request/trouble ticket with your support organization will allow the situation to be resolved much more expediently than trying to circumvent the assigned policy and, in all likelyhood, ensure you or your users are violating company security policies.

                         

                        The vast majority of malware are contracted through either malicious email or accessing the web. Using either email or a web browser while logged on as an administrator means that anything received or processed by those applications could be run with the administrator's credentials. As you noted, administrators are given higher permissions because they have special requirements for running some applications or access particular files/folders needed for them to perform the specialized duties and that aren't needed by regular users. Neither email nor web browsers, in most instances, require the need for those elevated permissions. For these reasons, that is why it is a security best practice for individuals requiring elevated permssions have two accounts: one with elevated permissions needed to perform their jobs and one with normal user permissions for conducting routine, normal, duties like email and web access.

                         

                        The signature is not protecting Outlook; it prevents Outlook from being run by a user with administrator credentials as this is a high risk activity for the reasons noted above. So, attempting to modify the permissions used by the application will not affect the policy enforcement.

                         

                        For your last question, a local administrator can be given permissions through ePO policies to disable or bypass HIPS enforced policies in a variety of ways. However, even if the local administrator is also an administrator on the ePO, the ability to make those policy changes are controlled through the ePO User Rights assignments. If those rights have not been delegated to your local administrator, they will not be able to make the needed policy changes and you would still need to contact your local support group to open a service request/trouble ticket to have an ePO adminstrator with the required rights to make the changes.