cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KingInTheNorth
Level 9
Report Inappropriate Content
Message 1 of 4
‎04-08-2019 02:10 PM

HIPS Blocking Teams.EXE for Signature 7066, exceptions not working

Jump to solution

When Installing Microsoft Teams Hips is triggered for signature 7066. I attempted to create an exception from the Threat Event, but HIPs still blocks it. Teams.exe triggers 7066, "Prevent Common Executable's From Running In User Profile Folder."

I have even tried adding Teams.exe in the Trust Applications Policy, but it still blocks it. When I turn HIPs off, it works just fine. So I am confused as to why a rule created from the threat event does not even work. Something seems to be triggering that is not being recorded in the event.

Thank you in advance for any advise.

Reply
2 Solutions

Accepted Solutions
ktankink
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎04-08-2019 02:24 PM

Re: HIPS Blocking Teams.EXE for Signature 7066, exceptions not working

Jump to solution

Signature 7066 is a custom signature (not a McAfee default signature), so if you have a concern about the signature itself, you would need to contact your internal team that created the signature.

In regards, to the IPS exception issue you're asking about, I think it would be best to open a Service Request with McAfee Support to further discuss the specifics so that the event and exception details are not on public display.  I suspect it's just a configuration issue with the IPS exception (compared to the IPS event details).

View solution in original post

0 Kudos
Reply
KingInTheNorth
Level 9
Report Inappropriate Content
Message 4 of 4
‎09-16-2020 03:58 PM

Re: HIPS Blocking Teams.EXE for Signature 7066, exceptions not working

Jump to solution

Adding a fix to my own submission.

Signature 7066 is a custom signature created by the over arching organization I support.

I was able to make the exception (created from the threat event) work by removing the description from the exception.

Hope this helps someone with a broken exception.

View solution in original post

Reply
3 Replies
ktankink
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎04-08-2019 02:24 PM

Re: HIPS Blocking Teams.EXE for Signature 7066, exceptions not working

Jump to solution

Signature 7066 is a custom signature (not a McAfee default signature), so if you have a concern about the signature itself, you would need to contact your internal team that created the signature.

In regards, to the IPS exception issue you're asking about, I think it would be best to open a Service Request with McAfee Support to further discuss the specifics so that the event and exception details are not on public display.  I suspect it's just a configuration issue with the IPS exception (compared to the IPS event details).

0 Kudos
Reply
theglot
Level 11
Report Inappropriate Content
Message 3 of 4
‎01-20-2020 10:20 AM

Re: HIPS Blocking Teams.EXE for Signature 7066, exceptions not working

Jump to solution

The first thing you might want to check is to ensure the new policy has burned into the endpoint.  Just because you hit save in the ePO doesn't mean that the updated policy is not applied on the Endpoint.

 

Good TTP when new policies are created for a problem (HIPS/ENS/VSE/PA) is to do one or more wakes--up on the endpoint and ensure you waited at least 5 minutes after saving in the ePO.

 

Example- In the ENS/HIPS Firewall, in a LAG/CAG name, we put the Date/Time stamp in the name, this way the end user can open the Firewall, view the LAG/CAG and see if the DATE/Time stamp changed in the rule name to ensure they have the latest and greatest change of policy.  Nothing worst than trying to figure out why a exclusion or FW Signature isn't working when you know you did it right, only to find out the endpoint didn't get the change policy yet.

0 Kudos
Reply
KingInTheNorth
Level 9
Report Inappropriate Content
Message 4 of 4
‎09-16-2020 03:58 PM

Re: HIPS Blocking Teams.EXE for Signature 7066, exceptions not working

Jump to solution

Adding a fix to my own submission.

Signature 7066 is a custom signature created by the over arching organization I support.

I was able to make the exception (created from the threat event) work by removing the description from the exception.

Hope this helps someone with a broken exception.

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC