Application blocking/hooking functionality with Host Intrusion Prevention 8.0
Technical Articles ID:
KB71794
Last Modified: 8/26/2020
Environment
McAfee Host Intrusion Prevention (Host IPS) 8.0
For information about Host IPS 8.0 supported platforms, environments, and operating systems, see KB70778. Summary
Host IPS 8.0 does not include a separate Application Blocking module. It provides this functionality using the Host IPS module.
Host IPS Signatures 6010 and 6011 are included in the McAfee Default IPS rules policy:
- Host IPS Signature 6010 - Generic Application Hooking Protection
- Host IPS Signature 6011 - Generic Application Invocation Protection
Both signatures are disabled by default.
Both signatures 6010 and 6011 ‘Allow’ the following by default:
- Any executable started from explorer.exe where explorer.exe resides in the system root folder
- Any executable started with user context NT AUTHORITY\\SYSTEM", "NT Authority\\LOCAL SERVICE" and "NT Authority\\NETWORK SERVICE
- Any executable started with the following SDNs:
- {CN=McAfee, Inc., OU=IIS, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=McAfee, Inc., L=Santa Clara, S=California, C=US}
- {CN="McAfee, Inc.", OU=Engineering, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="McAfee, Inc.", L=Santa Clara, S=Oregon, C=US}
- {CN=MCAFEE INTERNATIONAL LTD., OU=R&D, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=MCAFEE INTERNATIONAL LTD., L=HOVE, S=EAST SUSSEX, C=GB}
- {CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US}
- {CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US}
- {CN=MICROSOFT WINDOWS COMPONENT PUBLISHER, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US}
- {CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US}
- {CN=GOOGLE INC, OU=DIGITAL ID CLASS 3 - NETSCAPE OBJECT SIGNING, O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US}
Problem
Some executables are allowed through exclusions.
Solution
Users must create separate Host IPS custom signatures to specifically block an executable that is excluded.
Blacklist an executable
To create an application blocking rules policy to prevent an executable from running (blacklist):
- Create an IPS custom signature using a subrule specified with:
Rule type = Program
Operation = Run target executable
- Add a new target executable with the appropriate match criteria. It can include any of the following items:
- Executable pathname
- File description
- MD5 hash
- Digital signature Subject Distinguished Name
Whitelist an executable
To create an application blocking rules policy that allows only specified executables to run, but blocks all others (whitelist):
- Enable and configure Host IPS signature 6011 to a severity that maps to a prevent reaction.
- Add an exception to signature 6011, and specify any allowed executables with the appropriate match criteria. The criteria can include executable path name, file description, MD5 hash, and digital signature Subject Distinguished Name.
Executable hooking blacklist
To create an application blocking rules policy that prevents a specific executable from hooking any other executable:
- Create an IPS custom signature using two subrules:
- The first subrule must have Rule type = Program, operation = Open with access to create thread. Add a new executable with the appropriate match criteria. The criteria can include executable path name, file description, MD5 hash, or digital signature Subject Distinguished Name.
- The second subrule must have Rule type = Hook, operation = Hook a DLL. Add the same executable as for the first subrule.
NOTE: In this scenario, you are adding an executable, not a target executable as you would do to prevent an executable from running.
Executable hooking whitelist
To create an application blocking rules policy that allows an executable to hook other executables, but blocks all other executables from hooking other executables:
- Enable and configure Host IPS signature 6010 to a severity that maps to a prevent reaction.
- Add an exception to signature 6010, and specify any allowed executables with the appropriate match criteria. The criteria can include executable path name, file description, MD5 hash, or digital signature Subject Distinguished Name.
NOTE: In this scenario, you are specifying an executable, not a target executable as you would specify for signature 6011 (to allow an executable to run).
|
