Knowledge Center

How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature
Technical Articles ID:   KB71329
Last Modified:  9/9/2016


McAfee ePolicy Orchestrator (ePO)
McAfee Host Intrusion Prevention (Host IPS) 8.0 for Windows


Use the following steps to blacklist an application using a Host IPS 8.0 custom signature:
  1. Log on to the ePO console.
  2. Create a custom signature for Host IPS 8.0.
    NOTE: See Host IPS 8.0 product documentation links after the steps for detailed information on how to create a custom signature. Ensure you set the Severity of the signature to match your IPS Protection policy to Prevent or Log the signature.
  3. Open the newly created custom signature and click the Subrules tab.
  4. Create a Subrule with the following entries: 
    • Select Program for Rule Type.
    • Select Run target executable for Operations.
    • Select New Target Executable for Parameters.
  5. For the Target Executable information, enter one or more of the following application information fields:
    • Name - Name of the application (required)
    • File Description - File description within the application executable (not a "Comment" description of the executable; see KB71735 for more details.)
    • File name - Application name with or without paths (wildcards accepted; see the Wildcards and variables section of the Host IPS Product Guides for more information.)
    • Fingerprint - MD5 Fingerprint

      NOTE: When using the Hash data, do not enter the 0x as part of the Hash. (See KB71205 for more details.)
    • Signer - Certificate of signed application (See KB71205 for more details.)
To create a Host Intrusion Prevention 8.0 custom signature, see "Appendix A — Writing Custom Signatures and Exceptions" in PD22894 - Host Intrusion Prevention 8.0 Product Guide.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.