3 Replies Latest reply on Apr 4, 2016 10:40 AM by alex.hawke

    HIPS/VSE

    satisha.prakash

      Hello Guys,

       

      I have created an custom signature in HIPS which blocks reading/writing the executable files on the removable storage media. Now i have a question say suppose i have an executable in my USB drive which is a known malware to VSE, so when i open the USB drive in explorer and try to double click on the file will VSE OAS will scan the executable and deletes it or my HIPS rule to block executable will take priority and give me an access denied error?

        • 1. Re: HIPS/VSE
          alex.hawke

          I believe the most restrictive takes priority. So in your case, since the file would not be allowed to run, OAS will not be scanning it. Which would mean the HIPS rule would be taking priority, based on events occurring.

           

          There is overlap between VSE and HIPS - I would recommend tuning VSE down to eliminate such overlap. That recommendation is with the assumption that HIPS and VSE are deployed synonymously throughout your environment. I find that HIPS is sometimes only deployed to nodes with regulatory compliance mandates or high priority data to the organization - in which case you most definitely would not want to tune your VSE.           

          • 2. Re: HIPS/VSE
            satisha.prakash

            Thanks for the reply. I believe VSE will delete the file if it has the signature to delete it. I placed an EICAR file in USB and as soon as i open the USB the file is getting deleted by VSE. Below are some of the scenarios what we tested and found VSE will take the precedence above HIPS.

             

            Scenarios:

            • The EICAR file was placed just inside the USB drive not inside any folder.
            • VSE takes precedence and deletes the file as soon as we open the Drive (Removable Media) connected to the machine ( Actual File not opened ).
            • If the EICAR is placed inside any Folder , it is not detected unless we open the folder.
            • OAS logs says explorer.exe is the process accessing the EICAR file.
            • 3. Re: HIPS/VSE
              alex.hawke

              I read your initial HIPS rule wrong, sorry about that. I was thinking device access not .exe access for whatever reason.

               

              The overlap comment still holds true though.