1 Reply Latest reply on Aug 27, 2014 10:25 AM by greatscott

    HRC Errors in HipsShield.logs. What's going on?

    shakira

      There were thousands of these on one of our endpoints. What are they are why are they firing on McAfee Default rules as well as Custom Rules we created with the Wizard GUI?

       

       

      McAfee Default Example:

      08-21 13:42:57 [06744] HRC ERROR:

      ************

      Rule {

          Class Files

          Id 1254

          level 2

          files { Include -e  -apn_txt:\\?*  -list IIS_Ftp_Dir

          }

          time { Include "*" }

          application { Exclude  "$IIS_BinDir\\inetinfo.exe"  -list IIS_Processes

                  }

          user_name { Include "*" }

          dependencies -c -d 1240

          directives -c -d files:write

        }

      ERROR: Section <files> has no values

      REMOVED

       

       

       

      Custom GUI Wizard Example:

      08-21 13:42:57 [06744] HRC ERROR:

      ************

      Rule {

      tag "A Known Bad File Indicator"

      Class Files

      Id 5714

      level 3

      files { Include "*\\\\SYSTEM32\\reallybad.exe" }

      directives files:execute files:rename files:delete files:permissions files:write files:attribute files:create

      }

      ERROR: Bad directive - files:permissions

      REMOVED

      ************

       

       

      Why is the bottom one saying files:permissions is a bad directive? The GUI made this rule when I checked the "Permissions" box.