3 Replies Latest reply on Apr 23, 2014 6:39 PM by Kary Tankink

    HIPS 8.0 Executables in Firewall Rules

    forrest.towne

      What attributes of the executable does the Firewall Rule match on?

       

      Obvious to me are filename, fingerprint, and signerName.  Does it match on description as well?

       

      If am also unclear on what the wildcard is for signerName.  Obviously the "*" is for any signer.  My question is whether that also picks up unsigned executables as well?  In my experience, it doesn't appear that it does.

        • 1. Re: HIPS 8.0 Executables in Firewall Rules
          Kary Tankink

          File Description, yes.

           

          KB71735 - Host Intrusion Prevention 8.0 - Executable File Description field

           

           

          The wildcard for Signer is verifying if the exectuable is digitally signed at all.  If not, then this criteria does not match.  There is no functionailty looking for "unsigned" exectuables; the only way to match unsigned apps is to use None.

          • 2. Re: HIPS 8.0 Executables in Firewall Rules
            forrest.towne

            In the Host IPS Catalog under Executable to have an entry for McAfee Signed Executables the description and fingerprint must be blank, correct?  Should the filename be blank as well or wildcarded?

             

            If an executable is sometimes signed and sometimes not, it would require two entries in order to match both?

            • 3. Re: HIPS 8.0 Executables in Firewall Rules
              Kary Tankink

              Should the filename be blank as well or wildcarded?

              Blank entries are effectively wildcards for that entry.

               

              If an executable is sometimes signed and sometimes not, it would require two entries in order to match both?

              Just use a single exectuable entry with Signer set to NONE, then it will match both signed/unsigned.  Only use the Signed criteria if you're specifically trying to match against a signed exectuable (whether it be ANY signed or specific digital certficate signed)

               

              The 4 Executable criteria fields (File Description, Filename, Hash, Signer) do not all have to be used.  Mix/match the criteria according to your needs.