Table of Contents
Advertisement
Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Section
Id
level
time
user_name
Executable
handler module
directives
Windows class Illegal Host IPS API Use
The following table lists the possible sections and values for the Windows class Illegal API Use:
Section
Class
Id
level
time
user_name
Executable
vulnerability_name
detailed_event_info
directives
Use this class to create a custom killbit signature. The killbit is a security feature in web browsers
and other applications that use ActiveX. A killbit specifies the object class identifier (CLSID) for
ActiveX software controls that are identified as security vulnerability threats. Applications that
use ActiveX do not load specified ActiveX software with a corresponding killbit in place.
The primary purpose of a killbit is to close security holes. Killbit updates are typically deployed
to Microsoft Windows operating systems via Windows security updates.
Here is an example of a signature:
Rule {
tag "Sample4"
Class Illegal_API_Use
Id 4001
level 4
112
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
See Common sections .
Path name of the executable that
is being hooked by another
executable.
hook:set_windows_hook
Values
Illegal_API_Use
See Common sections .
Name of the vulnerability
One or more CLSIDs.
illegal_api_use:bad_parameter
illegal_api_use:invalid_call
Notes
A required parameter.
To prevent injection of a DLL into an executable
when using hook:set_windows_hook, include the
executable in the Application Protection List.
Notes
This is a 128-bit number that represents a unique
ID for a software component. Typically displayed
as:
"{FAC7A6FB-0127-4F06-9892-8D2FC56E3F76}"
Advertisement
Table of Contents
Troubleshooting
