6 Replies Latest reply on Jul 14, 2014 6:57 PM by Kary Tankink

    IPS Exception basics

    ninjaneer68

      I am having problems with the syntax aloud for the IPS exception with in the ePO.

      Can anyone tell me if the exclusion wild cards for VSE will work for the attached screen shot for the file name of IPS exclusion. 

       

      https://kc.mcafee.com/corporate/index?page=content&id=KB50998&pmv=print

       

       

      Please if anyone tells me to check the HIPS guide, at least tell me what page to check. I have check the guide ALOT lately and having problems finding the syntax aloud.

       

      All I am trying to do is allow a filename.exe to be allowed and trying to figure out if this syntax will work

       

      **\filename.exe

       

      it seems the IPS signature that keeps popping I can't seem to get the exception correct.

        • 1. Re: IPS Exception basics
          greatscott

          The exception **\filename.exe should work. If the event is still occurring, find the event in ePO, click "Actions", then click "New Exception (Host IPS 8.0)". Select the IPS Rules policy you want the exception to be put into, and click OK. This should prevent the event from occurring further. Go into that exception after it is created, and view how ePO created it. Note the processes and advanced parameters, and how they differ from the exception you created manually.

          1 of 1 people found this helpful
          • 2. Re: IPS Exception basics
            ninjaneer68

            That is what I did to create the basis for my rule. Its popping on manyachines and was going to try the ** I asked about because I was getting g stomped how to apply this to all machines. I justed removed all computers so that should apply to all.

            • 3. Re: IPS Exception basics
              greatscott

              Yes, just remove the system name from the exception.

              1 of 1 people found this helpful
              • 4. Re: IPS Exception basics
                ninjaneer68

                did some testing over the weekend. I wanted to post encase anyone else tried this. ePO doesn't like the syntax of "**\filename.exe" in the field of Filename:

                Every time i tried to add it, the ** was auto removed when i hit save. I did a "*\filename.exe" and it seem to take that and everything seem to be happy.

                • 5. Re: IPS Exception basics
                  ninjaneer68

                  HIPSException_example_edited.png

                   

                  I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

                  THe above example, the area highlighted in red is what I am talking about. Once I build the excutable defintation. I was trying to be basic and just leave allt he paramaters blank. My thought was it was just allow every instance of this excutable. Once I added some sort of generic paramater the excemtion started to work.

                  Later on I reliazed if I wanted to do such a generic excemption to put the program in trusted applications.

                  • 6. Re: IPS Exception basics
                    Kary Tankink

                    sstretchh wrote:

                    I also have some more testing to do, but once you have the excemtpion build I don't think it works unless you have some sort of parameters loaded agains't it.

                    IPS exceptions will work without Parameter details.  Parameters details are just criteria to narrow down/tighten an IPS exception down further, but be aware of the AND/OR operations between parameter details.  The KB works for HIPS 8 as well, but the screenshots just look different.

                     

                    KB70652 - Host Intrusion Prevention 7.0 IPS exception criteria