vedeo on creating Custom IPS defs.

Some customer always come to us telling that infiected file is detected by other AV but SEP has failed to detect.
If we can create a custom IPS and stop it from spreading customre will be satisfied.

But it is often easier to take an MD5 hash of the file and use application and device control policy to stop the file from running. 

I agree with Jeremy on this. In most situations it is much faster and simpler to create an application and device control policy to block the MD5 of the specific risk or file. Especially if your conern is with a risk that is already known.

Creating custom IPS signatures can be tricky, especially if you do not have a thorough knowledge of TCP, UDP, and ICMP protocols. In fact, an incorrectly formed signature can corrupt the custom IPS library, thus damaging the integrity of the clients. The IPS signatures provided by LiveUpdate will address known vulnerabilities, exploits, etc. in the operating system so creating custom IPS signatures in most situations, especially in a case of addressing a risk, would be a more complicated solution to an issue than it would really need to be.

I also agree with Tuf, and Jeremy. IPS stands for Intrusion Prevention System. It isn't designed to block specific risks. Our IPS signatures will stop any threat that is attempting to exploit a vulnerability regardless if we or any AV product has a virus signature for it. At this time, our IPS signatures should stop any threat from exploiting all known vulnerabilities.

Creating an application and device control policy as stated above is what I believe you are actually wanting to accomplish.

Yes I was looking for this but if I create an Application & device policy for a virus with md5 hash then will it block from getting infected from network . I mean if that virus tries to enter via network then will this policy block it.

HI Zoidberg
I have a file named siw.exe and i want to create  an application and device policy to stop it from being executed.If i go by name then after renaming the file it executes below is the checksum of that file please can you tell me the process to create this policy sothat it won't execute if i run it.

41f03b6b0f35b6353599390c2ca304ad

detailed procedure will be appreciated.

This is what I did to block process explorer.
But I can still lunch it.

On the portion of your rule called "Block Process explorer" the "Monitored Processes" must be * (all). That way all processes are monitored for attempts to launch any process with the md5 hash that you defined under "Launch Process Attempts".

If you have only explorer.exe listed under "monitored processes" then the application control will only watch explorer.exe for attempts to load explorer.exe.