none
Is this Policy Valid or Am I Losing It Again? RRS feed

  • Question

  • Trying to create a custom policy that detects McAfee HIPS via WMI. Using IAG SP2 Update 3, clients are both Win7 and Win XP.

    Endpoint detection successfully detects the PFW_WMI_Name_1 attribute as "MCAFEE HOST INTRUSION PREVENTION FIREWALL" (verified using Web Monitor), but I can't seem to successfully evaluate a policy against that attribute.  I've tried the following to no avail:

    ( (Instr (LCase(PFW_WMI_Name_1),"mcafee") >=1 )

    And:

    ( PFW_WMI_Name_1="MCAFEE HOST INTRUSION PREVENTION FIREWALL" )

    Am I missing something obvious?

    Thanks,

    David

    Tuesday, May 18, 2010 6:50 PM

Answers

  • Hi David,
      In theory both of those expressions look like they should evaluate correctly, however the problem you are facing is using PFW_WMI_Name#. The variables that are able to be used in detection policy scripts must be explicitly defined in the policy template files and show up in the variable section (components\windows variables\) of the GUI for them to be allowed to be used.  Since PFW_WMI_Name isn't an expression that's exposed via the policy it won't be allowed to be called in a policy script.  It looks like PFW_WMI_Version_Product_1 is the value that is exposed and should mostly closely map to what you are looking for.
    Regards,
    Dan Herzog
    Microsoft CSS IAG/UAG Support

    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:09 PM
    Wednesday, May 19, 2010 12:38 AM
    Moderator

All replies

  • Hi David,
      In theory both of those expressions look like they should evaluate correctly, however the problem you are facing is using PFW_WMI_Name#. The variables that are able to be used in detection policy scripts must be explicitly defined in the policy template files and show up in the variable section (components\windows variables\) of the GUI for them to be allowed to be used.  Since PFW_WMI_Name isn't an expression that's exposed via the policy it won't be allowed to be called in a policy script.  It looks like PFW_WMI_Version_Product_1 is the value that is exposed and should mostly closely map to what you are looking for.
    Regards,
    Dan Herzog
    Microsoft CSS IAG/UAG Support

    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:09 PM
    Wednesday, May 19, 2010 12:38 AM
    Moderator
  • Thanks Dan, that clarifies.  Is that documented anywhere (about only the variable section be exposed)?

    So product version doesn't really help because if any personal firewall is also version 7, the policy will evaluate as true.

    Would the recommended solution to be the non-WMI evaluation of HIPS registry keys and processes? (Which are out of date by the way in SP2U3, HIPS 7 is stored in a completely different key)

     

    Regards,

    David

    Wednesday, May 19, 2010 1:01 PM