IEnv in hips firewall

Hi

Can anyone help me with this issue i have.

I need to add SCEP rules into McAfee HIPs manually and i have a set a rule like the following below;
%SystemRoot%\system32\raserver.exe
Can i add this to the HIPs rule as it stands or do i need to change it to the below

[IEnv SystemRoot]\system32\raserver.exe

Thanks inadvance

Spooky
ciscocharlieAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
If you reference this based on HIPS 7, it is using IEnv
https://kc.mcafee.com/corporate/index?page=content&id=KB68467&pmv=print

In the forum, it is shared for [iEnv SystemRoot] and [iEnv SystemDrive] can be used interchangeably (as per guide on HIP 8) for %systemroot% and %systemdrive% respectively. However, nothing mentioned for %appdata%, %temp%, etc. Not sure if there is a equivalent field syntax. It is best to put up to McAfee support for advice instead.
https://community.mcafee.com/thread/64555?tstart=0

Most of the time, for HIP version interoperability, the executable path\name is still preferred and used for environmental related fields (on %% instead of IEnv) like
•System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot because the On‑Access scanner runs under the Windows Local System account.
https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Other info

If you are looking at controlling application, you can tap on
•Host IPS Signature 6010 - Generic Application Hooking Protection
•Host IPS Signature 6011 - Generic Application Invocation Protection
https://kc.mcafee.com/corporate/index?page=content&id=KB71794

As a whole, I find the below article useful as it demonstrated with example on the examples controlling over the running executable, registry, services etc (they are using full path instead)
http://pwndizzle.blogspot.sg/2014/03/custom-mcafee-hips-rules-that-actually.html
0
 
btanExec ConsultantCommented:
The switch and option in the rule are explained
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.