How to protect Image File Execution Options with Host Intrusion Prevention
技術的な記事 ID:
KB89032
最終更新: 10/20/2020
最終更新: 10/20/2020
言語:
この記事は、次の言語で表示可能です:
English United StatesSpanish Spain
French
Italian
Japanese
Portuguese Brasileiro
How to protect Image File Execution Options with Host Intrusion Prevention
技術的な記事 ID:
KB89032
最終更新: 10/20/2020 環境
McAfee Host Intrusion Prevention (Host IPS) 8.0
問題
Microsoft Windows supports a method for loading DLLs into running processes that uses the Image File Execution Options (IFEO) registry key. This key is often used by legitimate software and troubleshooting or diagnostic tools, but it can also be used maliciously.
解決策
This issue is resolved in Host IPS 8.0 NOTES:
McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.
NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products. 回避策
Use these steps to create two new expert Host IPS 8.0 Custom Signatures 4001 and 4002.
Class Registry Id 4001 level 4 keys { Include -e "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" \ "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" \ } user_name { Include "*" } application { Include "*" } application { Exclude \ "[iEnv systemroot]\\system32\\SETUPCL.exe" \ "[iEnv systemroot]\\syswow64\\SETUPCL.exe" \ "[iEnv systemroot]\\system32\\sysprep\\sysprep.exe" \ "[iEnv systemroot]\\syswow64\\svchost.exe" \ "[iEnv systemroot]\\system32\\systempropertiesprotection.exe" \ "[iEnv systemroot]\\syswow64\\systempropertiesprotection.exe" \ "[iEnv systemroot]\\system32\\srtasks.exe" \ "[iEnv systemroot]\\syswow64\\srtasks.exe" \ "[iEnv systemroot]\\system32\\wininit.exe" \ "[iEnv systemroot]\\syswow64\\wininit.exe" \ "*\\*windows*\\sources\\setupplatform.exe" \ } Executable {Exclude { -sdn {CN=McAfee, Inc., OU=IIS, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=McAfee, Inc., L=Santa Clara, S=California, C=US} } } Executable {Exclude { -sdn {CN="McAfee, Inc.", OU=Engineering, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="McAfee, Inc.", L=Santa Clara, S=Oregon, C=US} } } Executable {Exclude { -sdn {CN=MCAFEE INTERNATIONAL LTD., OU=R&D, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=MCAFEE INTERNATIONAL LTD., L=HOVE, S=EAST SUSSEX, C=GB} } } Executable {Exclude { -sdn {CN=Intel Corporation, OU=ISecG Enterprise, O=Intel Corporation, STREET = 2200 Mission College Blvd, STREET = FM1-110, L=Santa Clara, S=CA, PostalCode = 95054, C=US} } } Executable {Exclude { -sdn {CN=MICROSOFT WINDOWS, OU=MOPR, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US} } } Executable {Exclude { -sdn {CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US} } } Executable {Exclude { -sdn {CN=MICROSOFT WINDOWS COMPONENT PUBLISHER, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US} } } Executable {Exclude { -sdn {CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US} } } time { Include "*" } directives -c -d \ registry:delete \ registry:create\ registry:restore \ registry:replace \ registry:rename \ }
Class Registry Id 4002 level 4 keys { Include -e "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FireSvc.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HIPMGMT.EXE\\*" \ "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ClientControl.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FireTray.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HELPER.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Mcafeefire.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Secctrfw.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FireSvc.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HIPMGMT.EXE\\*" \ "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ClientControl.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\FireTray.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HELPER.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Mcafeefire.exe\\*" \ "\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Secctrfw.exe\\*" \ } user_name { Include "*" } application { Include "*" } time { Include "*" } directives -c -d \ registry:create \ registry:delete \ registry:rename \ registry:replace \ registry:restore attributes -no_trusted_apps -no_log -not_auditable }
関連情報
SB10193 - McAfee - Security Bulletin: Updates fix a potential vulnerability in Window-based products (CVE-2017-4028) To create a Host IPS 8.0 Custom Signature, see "Appendix A — Writing Custom Signatures and Exceptions" in Host Intrusion Prevention 8.0 Product Guide. 言語:この記事は、次の言語で表示可能です: English United StatesSpanish Spain French Italian Japanese Portuguese Brasileiro 技術用語集 |
|