Configuring McAfee HIPS and DLP to increase your security posture...with bonus policies and dashboards attached

1. H T T P S : / / A E . L I N K E D I N . C O M / I N / K Y L E - T A Y L O R -
7 3 2 5 4 2 1 A

2. DLP Initiatives:
◦ Block Bluetooth and USB Printers
◦ Block Wireless NICs and SD Cards
◦ Track File Names copied to External Media
◦ “Dirty Word” search on File copied to External Media
Application Whitelisting:
◦ Using Subject Distinguished Name to Simplify Exemptions
Future Projects:
◦ McAfee Threat Activity Tracer
◦ Epo Deep Command Discovery and Reporting (Free Tool)
◦ McAfee System Information Reporter
IA/CND Dashboards

3. Wireless – Block by Device Definition and Plug and Play Device Rule
◦ Device Class: Network Adapters
◦ Device Name: Allow Partial Match
Bluetooth – Block by Plug and Play Rule – Combine with additional Firewire block
◦ Bus Type: BlueTooth
SD Cards – Block by Plug and Play Rule – allows you to make them Read-Only
◦ Compatible ID
USB Printers – Use Plug and Play Rule
◦ Use Device Definition with USB Class: 07h
Prevent executables from executing from removable media using the Removable Storage File Access rule – it will
block .exe, .msi, .bat, .zip
Create a Windows Portable Device Rule to look for Device Name containing “MTP” to catch iPods, Phones…etc.,
mounting as an MTP device vs. Removable Storage
Wireless WiMax WiFi 802.11 Wlan
RIMMPTSKDisk_SD SDCLASS_STORAGE SCSIDisk
These mount as “Devices” vs. mounting as
“Removable Storage”
KB73171 – MTP Devices… we mainly see MTP devices mounting as
“Windows Portable Devices”
KB77769 – Managing Apple Products KB81602 – Possibility to allow you to record files being burned to CD/DVD –
Not tested.

5. Track files copied to external media
1. In the DLP Console, turn on “Hit Highlighting”
2. Set up a “Removable Media Protection Rule” call it something like,
“Track Files Copied to Removable Media”
3. Assign it all your exempted users but “Monitor Only”
NOTE: It does not track files burned to CD/DVD…
… However, you can track the amount of data burned per hour, day, month,
etc.

8. Checks Files being copied to Removable Media and searches within them for text
patterns
Only works on files being copied OFF to removable media
Create a new Text Pattern definition for “NOFORN”, “FVEY”,”SECRET//”…etc. called
Classification Markings and then a Category called “Category – Classified Markings”
for matches to go into as well as a Tag named similarly – I know…a ton of steps.
Apply this text pattern definition to the Content Tagging Rule called “Possible
Classified Document” and tell it to put matches into the Category “Category –
Classified Markings”
Create a “Removable Storage Protection Rule "looking for the category” Category –
Classified Markings” and apply it to all USB and SD exempted users.

12. Enable Signatures 6010 & 6011
Use Subject Distinguished Name to reduce overall total events
◦ We reduced events from 45,000 to 1,000 per day only using around 50 exceptions
Add all the Signatures into a Single Exception
◦ Adobe, Microsoft (about 10 different sigs), VMWare, Symantec, etc.
Example: “C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS”
The Layered/Effective Policy approach applied at each
level using this hierarchy is recommended.
[Assign a policy for each level with exceptions in each as required.]
Learn to use ClientControl.exe for additional assistance and troubleshooting
◦ i.e. clientcontrol.exe /exportconfig c:WindowsHIPSEXPORT.txt 5
◦ Clientcontrol.exe /log <HIPSPASSWORD> 0 4 …creates files in C:UsersAll UsersMcafeeHost Intrusion
Prevention folder

15. McAfee Threat Activity Tracer – records the remote IP that triggered any events using HIPS and
VSE
◦ In the McAfee Tool Exchange
McAfee System Information Reporter
◦ Free from McAfee Platinum Support
◦ Checks for Files and enforces a version
◦ Checks and enforces registry keys
◦ Enumerates Software, Hotfixes, Services, Shares
◦ Possible CMI Mitigation
EPO Deep Command Discovery and Reporting Tool
◦ Free from McAfee – Plugin and Extension
◦ Hardware Enumeration and Serial Number Tracking
◦ Nice addition for Inventory or Logistics Personnel, also Tech Refreshes
◦ Also Wireless NIC status, BIOS version, System Model and Manufacturer, Last Reboot…etc
◦ Alternatively, use the SystemInfo Tool from McAfee Tool Exchange to write the serial number to
one of the Custom Properties Fields

16. https://community.mcafee.com/docs/DOC-4231

17. • Checks computers for specific
files or registry keys – and
enforces versions
• Checks for Shares and USB
Devices
• Installed Hotfixes, Software,
patches, services

19. Dashboards and Automated Emails are good ways to keep Incident
Response informed
These do require training and a lot of policy tuning to make them usable to
IA/CND
Track HIPS, VSE, DLP, maybe ABM and Rogues
HIPS and VSE is where you are most likely to catch zero-days or APT’s
Over 70% of our Remedy tickets for IA/CND come from McAfee

20. Displays Malware Names, Trends, and Top Violators

21. Breaks Down Systems on the Network by OS, Per Site, and Rogues

22. • Prompts the most questions, requires a lot of tuning, and can be Noisy

23. Kyle.taylor@darkmatter.ae
971-525-100-890

24. Note: I will try to make the policies and dashboards
available through the hosts of this symposium.
McAfee Threat Activity Tracer - https://community.mcafee.com/docs/DOC-4231
ePO Deep Command Discovery and Reporting :
-Product Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25071/en_US/edc_210_pg_0-00_en-
us.pdf
-McAfee Community: https://community.mcafee.com/blogs/deepakkolingivadi/2014/03/20/deep-command-quick-start-guide-updated-for-21
McAfee System Information Reporter:
-KB: https://kc.mcafee.com/corporate/index?page=content&id=KB67830
-User Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22755/en_US/SIR_User_guide.pdf