How to block applications using a Host Intrusion Prevention 8.0 custom signature

Technical Articles ID: KB71329
Last Modified: 9/8/2020

McAfee ePolicy Orchestrator (ePO)
McAfee Host Intrusion Prevention (Host IPS) 8.0 for Windows

Use the following steps to block an application using a Host IPS 8.0 custom signature:

Log on to the ePO console.
Create a custom signature for Host IPS 8.0. For detailed steps, see "Appendix A — Writing Custom Signatures and Exceptions" in the Host Intrusion Prevention 8.0 Product Guide. Make sure that you set the Severity of the signature to match your IPS Protection policy to Prevent or Log the signature.
Open the newly created custom signature and click the Subrules tab.
Create a Subrule with the following entries:
- Select Program for Rule Type.
- Select Run target executable for Operations.
- Select New Target Executable for Parameters.
For the Target Executable information, enter one or more of the following application information fields:
- Name - Name of the application. This field is required.
- File Description - File description within the application executable. This field is not a "comment" description of the executable. See KB71735 for details.
- File name - Application name with or without paths. Wildcards are accepted. See the "Wildcards" and variables section of the Host Intrusion Prevention 8.0 Product Guide for more information.
- Fingerprint - MD5 Fingerprint
  NOTE: When you use the Hash data, do not enter the 0x as part of the Hash. See KB71205 for details.
- Signer - Certificate of signed application. See KB71205 for details.

For information about how to configure application blocking/hooking functionality with Host IPS 8.0, see KB71794.

Configuration
Host Intrusion Prevention 8.0

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center