McAfee HISCDE-AB-IA Product Guide - Page 108
Windows class Files, Note 1
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 108 highlights
Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures Section level time user_name Executable dependencies caller module directives Values Notes 428 Optional. See Note 1. Path to a module (i.e. a DLL) loaded by an executable that makes a call that causes a buffer overflow bo:stack Examines memory location that is executing and detects if memory location is running from writable memory that is part of the current thread's stack. bo:heap Examines memory location that is executing and detects if memory location is running from writable memory that is part of a heap. bo:writeable_memory Examines memory location that is executing and detects if memory location is running from writable memory that is neither part of the current thread's stack or a heap. bo:invalid_call Checks that an API is called from a proper call instruction. bo:target_bytes A hexadecimal string representing 32 bytes of instructions that can be used to create a targeted exception for a false positive without disabling buffer overflow for the entire process. bo:call_not_found Checks that code sequence prior to return address is not a call. bo:call_return_unreadable Checks that return adress is not readable memory. bo:call_different_target_address Checks that call target does not match hooked target. bo:call_return_to_api checks that return address is API entry point. Note 1 Signature 428, Generic Buffer Overflow, is a generic buffer overflow rule. To avoid triggering this rule, include section "dependencies 428" in the custom signature. Windows class Files The following table lists the possible sections and values for the Windows class Files: Section Class Id level Values Files See Common sections. Notes 108 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5