How to write custome rule on McAfee hips

To create custom rule to prevent FILE operations (Create, Write, Execute, Read, etc.):

Name: <insert name>
Rule type: Files
Operations: Create, Execute, Read, Write
Parameters: path/file name
Note: The file name must include a path. If you wish to wildcard the path, begin the filename with **\ or ?:\ if you wish to wildcard the drive letter (for example: **\filename.exe or ?:\filename.exe).
You cannot use MD5 hashes with the “Files” parameter:  path/filename only.
Drive type can also be used to limit the path to a specific drive type (for example., hard drive, CD-ROM, USB, network, floppy).
Executables: Can be left blank, unless you want to limit the signature to specific processes that performs the file operation (for example, explorer.exe, cmd.exe, etc.).

To create a custom rule to prevent PROGRAM operations

Name: <insert name>
Rule type: Program
Operations: Run target executable
Parameters: <leave blank>
Executables: Can be left blank, unless you wish to limit the signature to specific process as the source executable (for example if you want to block explorer.exe from running a Target Executable (for example., notepad.exe)).
Target Executables: Define the executable properties for which you want to prevent execution (for example, if you want to block Notepad.exe from running, specify the path/filename of the executable). The executable can be defined using one or more of the criteria (File Description, File Name, Fingerprint, Signer).

1 comment

Leave a Reply

Your email address will not be published. Required fields are marked *