2 Replies Latest reply on Oct 18, 2016 6:14 AM by staripley

    IPS Signature 6051

    staripley

      In VSE there is a AP Rule to prevent Hooking of McAfee Process. That rules transitions to IPS signature 6051. There is no documentation on 6051 and usage. Is there any documentation on 6051? Does 6010 and 6011 replace 6051 or should be used in place of 6051?

       

      Should any exceptions be made for 6051. Example I have Bigfix continuously tripping 6051.

        • 1. Re: IPS Signature 6051
          Kary Tankink

          Sig 6051 performs the similar functionality as the VSE Access Protection rule.  There is no further documentation on it.  The description you see in the Signature details is "This signature prevents McAfee processes from being hooked."

           

          It is separate functionality from Sig 6010/6011, which are the app white listing signatures.

           

          Sig 6051 exceptions will allow 3rd party applications to hook McAfee processes, which might cause issues (I don't have any specific examples though; testing would need to be performed in your environment; Sig 6051 is DISABLED by default as well).  See if Bigfix has a way to prevent hooking (or some type of exclusion rules) of McAfee processes to alleviate the signature events.

          • 2. Re: IPS Signature 6051
            staripley

            All 33 HIPs AP rules are disabled by default. If you want HIPS to do the AP vs VSE you have to enable. HIPS 6051 triggers a lot more than the same rule in VSE.