Solved

IEnv in hips firewall

Posted on 2016-08-18
2
46 Views
Last Modified: 2016-09-07
Hi

Can anyone help me with this issue i have.

I need to add SCEP rules into McAfee HIPs manually and i have a set a rule like the following below;
%SystemRoot%\system32\raserver.exe
Can i add this to the HIPs rule as it stands or do i need to change it to the below

[IEnv SystemRoot]\system32\raserver.exe

Thanks inadvance

Spooky
0
Comment
Question by:ciscocharlie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41762371
If you reference this based on HIPS 7, it is using IEnv
https://kc.mcafee.com/corporate/index?page=content&id=KB68467&pmv=print

In the forum, it is shared for [iEnv SystemRoot] and [iEnv SystemDrive] can be used interchangeably (as per guide on HIP 8) for %systemroot% and %systemdrive% respectively. However, nothing mentioned for %appdata%, %temp%, etc. Not sure if there is a equivalent field syntax. It is best to put up to McAfee support for advice instead.
https://community.mcafee.com/thread/64555?tstart=0

Most of the time, for HIP version interoperability, the executable path\name is still preferred and used for environmental related fields (on %% instead of IEnv) like
•System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot because the On‑Access scanner runs under the Windows Local System account.
https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Other info

If you are looking at controlling application, you can tap on
•Host IPS Signature 6010 - Generic Application Hooking Protection
•Host IPS Signature 6011 - Generic Application Invocation Protection
https://kc.mcafee.com/corporate/index?page=content&id=KB71794

As a whole, I find the below article useful as it demonstrated with example on the examples controlling over the running executable, registry, services etc (they are using full path instead)
http://pwndizzle.blogspot.sg/2014/03/custom-mcafee-hips-rules-that-actually.html
0
 
LVL 63

Expert Comment

by:btan
ID: 41787477
The switch and option in the rule are explained
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question