McAfee HISCDE-AB-IA Product Guide - Page 112
Windows class Illegal Host IPS API Use
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 112 highlights
Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures Section Id level time user_name Executable handler module directives Values See Common sections. Notes Path name of the executable that A required parameter. is being hooked by another executable. hook:set_windows_hook To prevent injection of a DLL into an executable when using hook:set_windows_hook, include the executable in the Application Protection List. Windows class Illegal Host IPS API Use The following table lists the possible sections and values for the Windows class Illegal API Use: Section Class Id level time user_name Executable vulnerability_name detailed_event_info directives Values Illegal_API_Use See Common sections. Notes Name of the vulnerability One or more CLSIDs. This is a 128-bit number that represents a unique ID for a software component. Typically displayed as: "{FAC7A6FB-0127-4F06-9892-8D2FC56E3F76}" illegal_api_use:bad_parameter illegal_api_use:invalid_call Use this class to create a custom killbit signature. The killbit is a security feature in web browsers and other applications that use ActiveX. A killbit specifies the object class identifier (CLSID) for ActiveX software controls that are identified as security vulnerability threats. Applications that use ActiveX do not load specified ActiveX software with a corresponding killbit in place. The primary purpose of a killbit is to close security holes. Killbit updates are typically deployed to Microsoft Windows operating systems via Windows security updates. Here is an example of a signature: Rule { tag "Sample4" Class Illegal_API_Use Id 4001 level 4 112 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5