Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 91
  • Last Modified:

IEnv in hips firewall

Hi

Can anyone help me with this issue i have.

I need to add SCEP rules into McAfee HIPs manually and i have a set a rule like the following below;
%SystemRoot%\system32\raserver.exe
Can i add this to the HIPs rule as it stands or do i need to change it to the below

[IEnv SystemRoot]\system32\raserver.exe

Thanks inadvance

Spooky
0
ciscocharlie
Asked:
ciscocharlie
  • 2
1 Solution
 
btanExec ConsultantCommented:
If you reference this based on HIPS 7, it is using IEnv
https://kc.mcafee.com/corporate/index?page=content&id=KB68467&pmv=print

In the forum, it is shared for [iEnv SystemRoot] and [iEnv SystemDrive] can be used interchangeably (as per guide on HIP 8) for %systemroot% and %systemdrive% respectively. However, nothing mentioned for %appdata%, %temp%, etc. Not sure if there is a equivalent field syntax. It is best to put up to McAfee support for advice instead.
https://community.mcafee.com/thread/64555?tstart=0

Most of the time, for HIP version interoperability, the executable path\name is still preferred and used for environmental related fields (on %% instead of IEnv) like
•System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot because the On‑Access scanner runs under the Windows Local System account.
https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Other info

If you are looking at controlling application, you can tap on
•Host IPS Signature 6010 - Generic Application Hooking Protection
•Host IPS Signature 6011 - Generic Application Invocation Protection
https://kc.mcafee.com/corporate/index?page=content&id=KB71794

As a whole, I find the below article useful as it demonstrated with example on the examples controlling over the running executable, registry, services etc (they are using full path instead)
http://pwndizzle.blogspot.sg/2014/03/custom-mcafee-hips-rules-that-actually.html
0
 
btanExec ConsultantCommented:
The switch and option in the rule are explained
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now