Loading...

Knowledge Center


Application blocking/hooking functionality with Host Intrusion Prevention 8.0
Technical Articles ID:   KB71794
Last Modified:  6/3/2016
Rated:


Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0

For information on Host IPS 8.0 supported platforms, environments, and operating systems, see KB70778.

Summary

Host IPS 8.0 does not include a separate Application Blocking module, but provides this functionality using the Host IPS module.

Host IPS Signatures 6010 and 6011 are included in the McAfee Default IPS rules policy:
  • Host IPS Signature 6010 - Generic Application Hooking Protection
  • Host IPS Signature 6011 - Generic Application Invocation Protection 

Both signatures are disabled by default.

Both signatures 6010 and 6011 ‘Allow’ the following by default:

  • Any executable launched from explorer.exe where explorer.exe resides in the system root folder
  • Any executable launched with user context NT AUTHORITY\\SYSTEM", "NT Authority\\LOCAL SERVICE" and "NT Authority\\NETWORK SERVICE
  • Any executable launched with the following SDNs:

    • {CN=McAfee, Inc., OU=IIS, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=McAfee, Inc., L=Santa Clara, S=California, C=US}
    • {CN="McAfee, Inc.", OU=Engineering, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="McAfee, Inc.", L=Santa Clara, S=Oregon, C=US}
    • {CN=MCAFEE INTERNATIONAL LTD., OU=R&D, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=MCAFEE INTERNATIONAL LTD., L=HOVE, S=EAST SUSSEX, C=GB}
    • {CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US}
    • {CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US}
    • {CN=MICROSOFT WINDOWS COMPONENT PUBLISHER, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US}
    • {CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US}
    • {CN=GOOGLE INC, OU=DIGITAL ID CLASS 3 - NETSCAPE OBJECT SIGNING, O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US}

Problem

Some executables are allowed through exclusions.

Solution

Users must create separate Host IPS custom signatures to specifically block an executable that is excluded.

Blacklist an executable
To create an application blocking rules policy to prevent an executable from running (blacklist):
  1. Create a new IPS custom signature using a subrule specified with:

    Rule type = Program
    Operation = Run target executable
     
  2. Add a new target executable with the appropriate match criteria. This can include any of the following items:
    • executable pathname
    • file description
    • MD5 hash
    • digital signature Subject Distinguished Name

Whitelist an executable
To create an application blocking rules policy that allows only specified executables to run, but blocks all others (whitelist):
  1. Enable and configure Host IPS signature 6011 to a severity that maps to a prevent reaction.
  2. Add an exception to signature 6011, and specify any allowed executables with the appropriate match criteria (which can include executable pathname, file description, MD5 hash, and/or digital signature Subject Distinguished Name).

Executable hooking blacklist
To create an application blocking rules policy that prevents a specific executable from hooking any other executable: 
  1. Create a new IPS custom signature using two subrules:

    • The first subrule should have Rule type = Program, operation = Open with access to create thread. Add a new executable with the appropriate match criteria (this can include executable path\name, file description, MD5 hash, or digital signature Subject Distinguished Name).

       
    • The second subrule should have Rule type = Hook, operation = Hook a DLL. Add the same executable as for the first subrule.

      NOTE:
      In this scenario, you are adding an executable, not a target executable as you would do to prevent an executable from running.

Executable hooking whitelist
To create an application blocking rules policy that allows an executable to hook other executables, but blocks all other executables from hooking other executables: 
  1. Enable and configure Host IPS signature 6010 to a severity that maps to a prevent reaction.  
  2. Add an exception to signature 6010, and specify any allowed executables with the appropriate match criteria (this can include executable path\name, file description, MD5 hash, or digital signature Subject Distinguished Name).

    NOTE:
    In this scenario, you are specifying an executable, not a target executable as you would specify for signature 6011 (to allow an executable to run).

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.