6 Replies Latest reply on Aug 20, 2015 10:54 AM by eyanchuk

    HIPS Signature 3905 - Unable to tune properly for Adobe products

    kobielusz

      I am currently running HIPS 8 patch 2 (version 8.0.0.2482) with content signature 8.0.0.5897

       

      I have been having issues attempted to tune out some of the noise in relation to our Adobe products and a few other applications for the 3905 signature (Prevents all programs from running files from the Temp folder).

       

      It doesn't seem to matter what combination I attempt to create an exception for, the signature still continues to trigger.

       

      Example: 

      Executable

      Name: ACRORD32.EXE

      File description: ADOBE READER

      File name: C:\PROGRAM FILES\ADOBE\READER 11.0\READER\ACRORD32.EXE

      Specify a signer: CN="ADOBE SYSTEMS, INCORPORATED", OU=ACROBAT XI, O="ADOBE SYSTEMS, INCORPORATED", L=SAN JOSE, ST=CALIFORNIA, C=US, OID.2.5.4.5=2748129, OID.2.5.4.15=PRIVATE ORGANIZATION, OID.1.3.6.1.4.1.311.60.2.1.2=DELAWARE, OID.1.3.6.1.4.1.311.60.2.1.3=US

       

      Parameters

      Type -  Value

      Files -  C:\Users\*\AppData\Local\Temp\*\acrord32_sbx\Z@*.tmp

      User Name - Domain\*

      drive type - HardDrive

       

      I have focused on the Files parameter mostly and tried every iteration of that I can think of to include replacing the * with ** and even at one point completely had ** only in the field which would seem to defeat the purpose of using this signature.

      I tried removing the signer and setting to none and completely removing any parameters except HardDrive as well but it will continue to fire. Already confirmed there are no empty spaces at the end of Executable lines but nothing.

       

      If anyone has any further suggestions or experience with this particular signature, I would really appreciate some advice.

       

      Thank you

        • 1. Re: HIPS Signature 3905 - Unable to tune properly for Adobe products
          ansarias

          Hello,

           

          Just quick question, Do you want to block or allow the Adobe product.....:)


          • 2. Re: HIPS Signature 3905 - Unable to tune properly for Adobe products
            kobielusz

            Thank you for the reply and it would be nice if I could continue to allow our valid applications to function in a normal manner without triggering on every unique function the user performs, but this signature and its PICs' 2297 3893 don't seem to agree with my logic on this. I do understand the signature is likely operating as designed, but it has been rougher than normal trying to get this particular set to play ball using the wildcards that have worked with the majority of my exceptions rules thus far.

            I had thought about adding it to a whitelist but am awaiting confirmation from higher authority on whether or not I can add is and a few other 3rd party products.

            Any assistance or advice you can provide is sincerely appreciated.

            • 3. Re: HIPS Signature 3905 - Unable to tune properly for Adobe products
              ansarias

              Ok, so need to do 2 changes in McAfee,

               

              First add ACRORD32.EXE in process to exclude on Access Protection rule : Prevents all programs from running files from the Temp folder.

               

              also add ACRORD32.EXE into Host Intrusion Prevention 8.0:General > Trusted Applications (Windows, Linux, Solaris) policy.

               

              ScreenHunter_01 Sep. 11 15.26.jpg

              • 4. Re: HIPS Signature 3905 - Unable to tune properly for Adobe products
                bookz

                Making ACRORD32.EXE a trusted application sounds like a bad idea to me. While I do not doubt that it may ultimately be effective its a huge hole compared to tuning the event out of a single HIPS signature.

                 

                When it comes to the HIPS exclusion:

                Id suggest opening up your Z@ exclusion to **\Z@*.tmp under files

                Maybe limit your executable to not include file description and possibly not even signer.

                Additionally under the value portion

                drive type - hard drive probably nets you next to nothing except making the analyzer work harder.

                Are you sure that limiting this by username is gaining you anything as well?

                 

                In the event you showed there if that was your exclusion, you have a large amount of "and" operations that might make processing of the exclusion difficult. If you open it up a bit it may be much more efficient. You will see other processes calling the Z@ files as well in some of the other signatures you mentioned.

                • 5. Re: HIPS Signature 3905 - Unable to tune properly for Adobe products
                  shakira

                  To tune this exact string out: C:\Users\*\AppData\Local\Temp\*\acrord32_sbx\Z@*.tmp

                   

                  You can do:

                  files exclude - **\acrod32_sbx\Z@*.tmp

                  or maybe:

                  files exclude - **\acrod32_sbx\Z@?.tmp

                   

                   

                  This doesn't seem to be your issue though. I take it you are setting this file exclusion in an Exception Rule for 3905. If so, ensure that you are not mixing "Executables" with "Parameters - Files". These two categories "AND" together instead of "OR" which may be breaking what you think your exception rule is doing.

                   

                  If the only line in your exception rule for signature is 3905 is what I suggested above, I'm not sure what's going wrong. If not, try starting there. No signer, no executable... nothing but one Files line.

                   

                  I would also ignore trusted application settings in this case as it's unnecessary and leaves a large hole as stated above.

                  • 6. Re: HIPS Signature 3905 - Unable to tune properly for Adobe products
                    eyanchuk

                    I can't get this to work either.  Is it possible to exclude an entire folder from a signature?

                     

                    I'm testing on the Adobe folder for signature 3905.  I've gone bare-bones with my test case: no parameters defined aside from Executable, and within the Executable, only File Name defined.  I've tried every iteration of wildcards.  Right now, I have C:\**\ADOBE\**\*.EXE . 

                     

                    3905 is still being triggered by executables in Adobe folders though.  What am I missing?