Table of Contents
Advertisement
Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Section
level
time
user_name
Executable
dependencies
caller module
directives
Note 1
Signature 428, Generic Buffer Overflow, is a generic buffer overflow rule. To avoid triggering
this rule, include section "dependencies 428" in the custom signature.
Windows class Files
The following table lists the possible sections and values for the Windows class Files:
Section
Class
Id
level
108
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
428
Path to a module (i.e. a DLL)
loaded by an executable that
makes a call that causes a buffer
overflow
bo:stack
bo:heap
bo:writeable_memory
bo:invalid_call
bo:target_bytes
bo:call_not_found
bo:call_return_unreadable
bo:call_different_target_address
bo:call_return_to_api
Values
Files
See Common sections .
Notes
Optional. See Note 1.
Examines memory location that is executing and
detects if memory location is running from
writable memory that is part of the current
thread's stack.
Examines memory location that is executing and
detects if memory location is running from
writable memory that is part of a heap.
Examines memory location that is executing and
detects if memory location is running from
writable memory that is neither part of the current
thread's stack or a heap.
Checks that an API is called from a proper call
instruction.
A hexadecimal string representing 32 bytes of
instructions that can be used to create a targeted
exception for a false positive without disabling
buffer overflow for the entire process.
Checks that code sequence prior to return address
is not a call.
Checks that return adress is not readable memory.
Checks that call target does not match hooked
target.
checks that return address is API entry point.
Notes
Advertisement
Table of Contents
Troubleshooting
