Loading...

Knowledge Center


Host Intrusion Prevention Signature violation contains parameter information with hexadecimal characters instead of string characters
Technical Articles ID:   KB69120
Last Modified:  11/7/2016

Environment

McAfee Host Intrusion Prevention 8.0
McAfee Host Intrusion Prevention 7.0

 

Problem

When you view a Host Intrusion Prevention (Host IPS) Signature violation, the Advanced Detail parameters might contain letters and numbers instead of string characters. 

For example, if you try to modify the HKLM\Software\McAfee\HIP\ContentVersion registry key:

Original data

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP]
"ContentVersion"="7.0.0.3248"

You attempt to change the registry key value to the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP]
"ContentVersion"="7.0.0.3249"


Result
A Host Intrusion Prevention Signature violation occurs as follows:

 06-11 14:43:40 [04612] VIOLATION: [1] ------- Violation ---- Size 658 ----
<Event> <!-- Level=High, Reaction=Prevent -->
  <EventData
  SignatureID="1002"
  SignatureName="Windows Agent Shielding - Registry Access"
  SeverityLevel="4"
  Reaction="3"
  ProcessUserName="<Domain\Username>"
  Process="C:\Windows\regedit.exe"
  IncidentTime="2010-06-11 14:43:40"
  AllowEx="False"
  SigRuleClass="Registry"
  ProcessId="1564"
  Session="1"
  SigRuleDirective="modify"/>
  <Params>
    <Param name="Registry Value(s)">\REGISTRY\MACHINE\SOFTWARE\MCAFEE\HIP\CONTENTVERSION</Param>
    <Param name="New Data">37002e0030002e0030002e0033003200340039000000</Param>
  </Params>
</Event>
------------------------------

In this signature violation, the New Data parameter records the string value in 4-bit hexadecimal characters.

Solution

You can obtain the original string value from the hexadecimal value by using any Hexadecimal to String converter. For example:

Hex
37002e0030002e0030002e0033003200340039000000

String
7.0.0.3249


String: Hex:
7 3700
. 2e00
0 3000
. 2e00
0 3000
. 2e00
3 3300
2 3200
4 3400
9 3900

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.