Just quick question, Do you want to block or allow the Adobe product.....:)
Thank you for the reply and it would be nice if I could continue to allow our valid applications to function in a normal manner without triggering on every unique function the user performs, but this signature and its PICs' 2297 3893 don't seem to agree with my logic on this. I do understand the signature is likely operating as designed, but it has been rougher than normal trying to get this particular set to play ball using the wildcards that have worked with the majority of my exceptions rules thus far.
I had thought about adding it to a whitelist but am awaiting confirmation from higher authority on whether or not I can add is and a few other 3rd party products.
Any assistance or advice you can provide is sincerely appreciated.
Making ACRORD32.EXE a trusted application sounds like a bad idea to me. While I do not doubt that it may ultimately be effective its a huge hole compared to tuning the event out of a single HIPS signature.
When it comes to the HIPS exclusion:
Id suggest opening up your Z@ exclusion to **\Z@*.tmp under files
Maybe limit your executable to not include file description and possibly not even signer.
Additionally under the value portion
drive type - hard drive probably nets you next to nothing except making the analyzer work harder.
Are you sure that limiting this by username is gaining you anything as well?
In the event you showed there if that was your exclusion, you have a large amount of "and" operations that might make processing of the exclusion difficult. If you open it up a bit it may be much more efficient. You will see other processes calling the Z@ files as well in some of the other signatures you mentioned.
To tune this exact string out: C:\Users\*\AppData\Local\Temp\*\acrord32_sbx\Z@*.tmp
You can do:
files exclude - **\acrod32_sbx\Z@*.tmp
files exclude - **\acrod32_sbx\Z@?.tmp
This doesn't seem to be your issue though. I take it you are setting this file exclusion in an Exception Rule for 3905. If so, ensure that you are not mixing "Executables" with "Parameters - Files". These two categories "AND" together instead of "OR" which may be breaking what you think your exception rule is doing.
If the only line in your exception rule for signature is 3905 is what I suggested above, I'm not sure what's going wrong. If not, try starting there. No signer, no executable... nothing but one Files line.
I would also ignore trusted application settings in this case as it's unnecessary and leaves a large hole as stated above.
I can't get this to work either. Is it possible to exclude an entire folder from a signature?
I'm testing on the Adobe folder for signature 3905. I've gone bare-bones with my test case: no parameters defined aside from Executable, and within the Executable, only File Name defined. I've tried every iteration of wildcards. Right now, I have C:\**\ADOBE\**\*.EXE .
3905 is still being triggered by executables in Adobe folders though. What am I missing?