Loading...

Knowledge Center


How to protect Image File Execution Options with a Host Intrusion Prevention 8.0 Custom Signature
Technical Articles ID:   KB89032
Last Modified:  3/29/2017

Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0

Summary

Microsoft Windows supports a method for loading DLLs into running processes that leverages the Image File Execution Options (IFEO) registry key. This key is often used by legitimate software and troubleshooting or diagnostic tools, but it can also be leveraged maliciously.

This article explains the rules to create and the processes to protect for Host IPS 8.0 using a Custom Signature.

Solution

Use these steps to create two new expert Host IPS 8.0 Custom Signatures 4001 and 4002.
  1. Log on to the ePolicy Orchestrator console.
  2. Create a Custom Signature for Host IPS 8.0.
     
    NOTE: See the Host IPS 8.0 product documentation link in Related Information below for detailed information on how to create a Custom Signature. 
     
  3. Click New.
  4. Provide the Signature Name and Description.
  5. Set the Severity of the signature to High and Enable Logging.
  6. Open the newly created Custom Signature and click the Subrules tab.
  7. Click New Expert Subrule.
  8. Copy the following Custom IPS rule syntax, paste it into the expert subrule console, and click OK then Save.
Rule {
    Class Registry
    Id 4001
    level 4
    keys { Include -e "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" \
            "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" \
        }
    user_name { Include "*" }
    application { Include "*" }
    application { Exclude  \
                "[iEnv systemroot]\\system32\\SETUPCL.exe" \
                "[iEnv systemroot]\\syswow64\\SETUPCL.exe" \
                "[iEnv systemroot]\\system32\\sysprep\\sysprep.exe" \
                "[iEnv systemroot]\\syswow64\\svchost.exe" \
                "[iEnv systemroot]\\system32\\systempropertiesprotection.exe" \
                "[iEnv systemroot]\\syswow64\\systempropertiesprotection.exe" \
                "[iEnv systemroot]\\system32\\srtasks.exe" \
                "[iEnv systemroot]\\syswow64\\srtasks.exe" \
                "[iEnv systemroot]\\system32\\wininit.exe" \
                "[iEnv systemroot]\\syswow64\\wininit.exe" \
                "*\\*windows*\\sources\\setupplatform.exe" \
                }
    Executable {Exclude { -sdn {CN=McAfee, Inc., OU=IIS, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=McAfee, Inc., L=Santa Clara, S=California, C=US} } }
    Executable {Exclude { -sdn {CN="McAfee, Inc.", OU=Engineering, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="McAfee, Inc.", L=Santa Clara, S=Oregon, C=US} } }
    Executable {Exclude { -sdn {CN=MCAFEE INTERNATIONAL LTD., OU=R&D, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=MCAFEE INTERNATIONAL LTD., L=HOVE, S=EAST SUSSEX, C=GB} } }
    Executable {Exclude { -sdn {CN=Intel Corporation, OU=ISecG Enterprise, O=Intel Corporation, STREET = 2200 Mission College Blvd, STREET = FM1-110, L=Santa Clara, S=CA, PostalCode = 95054, C=US} } }
    Executable {Exclude { -sdn {CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US} } }
    Executable {Exclude { -sdn {CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US} } }
    Executable {Exclude { -sdn {CN=MICROSOFT WINDOWS COMPONENT PUBLISHER, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US} } }
    Executable {Exclude { -sdn {CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US} } }
    
    time { Include "*" }
    directives -c -d \
        registry:delete \
        registry:create\
        registry:restore \
        registry:replace \
        registry:rename \
}

 
  1. Repeat Steps 3 - 7 for the second Custom IPS rule 4002.
  2. Copy the following Custom IPS rule syntax, paste it into the expert subrule console, and click OK then Save.
Rule {
    Class Registry
    Id 4002
    level 4
    keys { Include -e "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FireSvc.exe\\*" \
                        "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HIPMGMT.EXE\\*" \
                        "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ClientControl.exe\\*"  \
                        "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FireTray.exe\\*" \
                        "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HELPER.exe\\*"  \
                        "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Mcafeefire.exe\\*" \
                        "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Secctrfw.exe\\*"  \
                        "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FireSvc.exe\\*" \
                        "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HIPMGMT.EXE\\*" \
                        "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ClientControl.exe\\*"  \
                        "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FireTray.exe\\*" \
                        "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HELPER.exe\\*"  \
                        "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Mcafeefire.exe\\*" \
                        "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Secctrfw.exe\\*"  \
        }
    user_name { Include "*" }
    application { Include "*" }
    time { Include "*" }
    directives -c -d \
        registry:create \
        registry:delete \
        registry:rename \
        registry:replace \
        registry:restore
    attributes -no_trusted_apps -no_log -not_auditable
}
  1.  Save the policy and enforce it on the Host IPS 8.0 client systems.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.