Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Currently Being Moderated

Webinar Questions ("Migrating to Host IPS 8.0 Successfully", May 9) FINAL

VERSION 3  Click to view document history
Created on: May 9, 2013 2:16 PM by ccoldren - Last Modified:  May 21, 2013 8:41 PM by ccoldren

PLEASE ASKED ADDITIONAL QUESTIONS IN THE DISCUSSION AREA

 

Q: I see patch 4 is being released end of Q3 or early Q4, any info on P3?

A: Patch 3 RTS (testing phase) is expected late May. RTW (public release) is usually 3-4 weeks afterwards. Dates subject to change though.

 

Q: can you have the hips fw only product and the fill hips client in the same epo server? or can you have clients using the fw only while other workstations use the ful hips

A: Once you check in the Host IPS license extension into ePO, it enables/allows you to use the Host IPS modules. You can disable firewall or Host IPS modules with pertinent policies pushed out to the Host IPS client.

 

Q: can you uninstall 7 and install 8 WITHOUT a reboot, ie. in the same script

A: No. Any HIPS uninstall (except for straight upgrades) will require a reboot, before attempting to reinstall. If you do not reboot, the HIPS installation may (will) fail.

 

Q: We are still on patch 5. Are we going to run into issues if not on patch 9 or higher.

A: It’s recommended to be on P9 first (due to known issues that are resolved in the Patch 6-9 builds), however, the HIPS 8 installer will remove any HIPS 7.0 version from the system.

 

Q: Does 8.0 supports Win 7 64 bit platforms

A: It does. Please KB70778 - Supported environments for Host Intrusion Prevention 8.0.

 

Q: something like VSE versions 8.7 and 8.8

A: HIPS 7.0 and 8.0 are managed by separate extensions, but they can both be managed by the ePO server.

 

Q: Is it possible to manage both 7.0 and 8.0 HIPS from ePO console

A: Yes, except for ePO 5.0 (supports HIPS 8.0 only). Just need to make sure that you have the both 7 and 8 extensions checked into epo.

 

Q: Does ePO5 support HIPS7?

A: It does not.

 

Q: can we use DMZ AH to deploy?

A: As long as the McAfee Agent can communicate with it, yes.

 

Q: Should I upgrade to HIPS8 on XP?

A: Yes it is recommended to upgrade to HIPS 8.0.  It is suggested to use the HIPS 8.0 Patch 2 full installer (as it contains some installer fixes).  Please follow: KB76609 - Best Practices for Host Intrusion Prevention 7.0 to 8.0 upgrades

 

Q: Does HIPS 8.0 Patch 2 support MS Hyper V 64 bit Windows 2012 Server?

A: Patch 2 supports it but wasn't fully QA'd for Win8 and 2k12 server. Patch 3 is tested for the OSes. I would highly suggest waiting till Patch 3.

 

Q: what about support for Hyper V Cluster for Windows 2012 Servers?

A: Windows 2012 will be supported in Patch 3, but not sure about the Hyper-V portion (I believe it will, though).  I will confirm with the Host IPS Product Manager.

 

Q: does hips coexist with windows firewall

A: Yes. However we have found an issue with Windows Security Center and our most recent rollup hotfix. The issue will be addressed in the next hotfix release.  See: KB77809 - Windows Action Center reports that the firewall is managed by Host Intrusion Prevention 8.0 after HF803520 is applied

 

Q: does mcafee HIPS can used on gateway level like ISA server. or we can mirror the WAN traffic on specific machine on which HIPS is installed, does it's help to provide the more information like kind of attack and exploit

A: Host IPS is not supported as a gateway firewall.

 

Q: what's the default firewall mode in HIPS 8.0

A: Firewall and IPS are both disabled by default.  They are enabled once you have modified the policy and the system has contacted the ePO server for the new policy via the McAfee Agent.

 

Q: hello please answer, can we use mcafee HIP on gateway level

A: No, it is not supported. It is only supported as a host firewall.

 

Q: can we deploy 9.0 on servers

A: HIPS 8.0? There is no 9.0 version. Yes, HIPS 8.0 can be deployed to servers.

 

Q: if we installed the HIPS on MS ISA firewall that's installed on window server 2003, so in this case it must scan all the wan traffic that's passing through the server and depending on the traffic it'll take action.

A: Theoretically you can probably get it to work on a multihomed system but it hasn't been QA'd and not supported.

 

Q: during <7v HIPS installation, it tend to kill Network connection. Is this still the case with HIPS8?

A: If you are on Windows XP and Windows 2003 (that are limited to Microsoft NDIS 5.0 architecture), yes, you will still lose network connectivity briefly upon installing HIPS 8.0.

 

Q: Got issue with loopback been block

A: Due to some architectural changes in patch 2, you need to create a loopback allow rule that you didn't have to before.  See: KB71230 - Host Intrusion Prevention 8.0 Loopback traffic blocked when firewall is enabled

 

Q: During client upgrade we got many disconnection from network, sometimes for more than 1 min, also status on epo is many time failed but the install complete on the machine

A: Network disconnects are expected when deploying HIPS 8.0 on Windows XP and 2003 (due to their NDIS 5.0 architecture limitation), as long as the disconnect is brief (under 5minutes) and the installation is successful.

 

Q: How about reducing/eliminating the polls in future presentations?

A: I will discuss this with the organizer for future events.

 

Q: I have migrated some machines from HIPS 8 patch 1 to Patch 2. At least 3 machines reported longer PC shutdown time. CPU heating. I am hesitated to roll out in velocity. OS is WIndows 7 64 bit, Agent 4.5.0.1810. Any suggestions?

A: Shutdown and heating issues could be related to the high cpu Firesvc.exe issue that started with Patch 2, and fixed in Hotfix 803520. See KB76595. Have you applied this hotfix? Also, try disabling Firewall Adaptive mode and TrustedSource funcitonality.  (customer did apply hotfix and it resolved this issue)

 

Q: In 8.0, does the * still work or do you have to use **?

A: * works for single level directories; ** for multi-level. ** is typically used more often, and is similar to the * in HIPS 7.0.  See Page 42-43 and page 72 of PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

 

Q: With the differences in wildcards between 7.0 and 8.0 is there a method to verify all rules (default and custom) are still going to perform as they did in 7.0? Or will this take manual verification and discovery during the pilot testing?

A: Wildcard usage is a bit different in HIPS 8.0. * is used as ** now, but policy migration should adjust this accordingly. Please make sure you're using the latest HIPS 8.0 extension 8.0.3.701. After migration, the HIPS 8.0 policies should be tested before deploying to entire production environment.

 

Q: Since the number of exceptions will increase when the HIPS 7 policies are migrated to HIPS 8 (sig 6010, 6011), is there a limit for the number of exceptions for the Application Hooking & Invocation Protection policies?

A: There is no set limit, but you want to make sure that the policies are optimized and limit rule duplication. Lots of exceptions can be grouped together, rather than having a separate rule for each. Also make sure that you using multiple IPS Rules policies where applicable. Refrain from trying to use a ONE-SIZE-FITS-ALL policy assignment.

 

Q: Is it possible to capture dynamically created client rules?

A: Yes client-side rules that are learned dynamically are already captured and sent to ePO.  Also, see: 

KB58949 - Host Intrusion Prevention client rules do not display in the ePO 4.x console

 

Q: Is the Block All that is there only in HIPS 8 or both versions?

A: Both versions. It is hidden in the HIPS 7.0 Client UI though.

 

Q: does the application protection in the HIPS 8 IPS rules take over from what app blocking did? I know about the 6010 and 6011 signatures but wondering if it did any similar functions.

A: Sig 6010/6011 are whitelisting signatures. Black listing signatures can be created. See KB71329.

 

Q: We had about 10% of hosts encounter the NDIS problem with our deployment

A: Ok. If you need more details, please contact McAfee Support.

 

Q: What was the last slide saying about the Block All rule with Adaptive mode? Adaptive won't work with a Block rule?

A: Don't use a BLOCK ALL rule in your firewall rule policy. It negates the Adaptive mode functionality, since this BLOCK ALL rule will be matched BEFORE the adaptive mode rule. There is a BLOCK ALL rule already in the policy that is seen on the client HIPS UI (but not shown in the firewall rule policy).

 

Q: Is there spec for HIP 8 with 1800 clients? EPO server hardware requirement?

A: This would be a question for our ePO team. Please see the ePO Server Sizing guide.  See:

PD23282 - ePolicy Orchestrator 4.6 Hardware Sizing and Bandwidth Usage Guide.

 

Q: KB71230, does that mean that a loopback address added, for example, as secondary DNS IP address (the host/server itself that has DNS role) would be blocked by HIPS 8.0 Firewall by default, if not added the Allow Loopback rule in first place to the HIPS 8.0 Firewall?

A: If you have a client component on your host system that talks to a server component on the loopback address, that will potentially be blocked till you create an allow loopback rule for it.

 

Q: Since HIPS Patch 2 and EPO upgrade to 4.6.6, many of my workstations appear in ePO with blank Client Version and blank Content Version. This throws off my reports. Any idea for the cause?

A: Please make sure you are using the latest HIPS 8.0 extension 8.0.3.701. If you continue to have this issue, please contact McAfee Support. Also make sure you are using the correct HIPS column fields in your ePO query. There are separate HIPS 7.0 and 8.0 column fields. They are not interchangeable.

 

Q: deployment size of the HIPS package through epo i.e. total size of files which are to transfered from epo to client.

A: The HIPS 8.0 deployment package is 33mb, plus some overhead for the McAfee Agent, and any additional hotfixes, etc. that need to be deployed.

 

Q: We did the upgrade but the new HIP 8.0 takes up tremendous disk I/O and it eventually crashes our servers so we had to roll back to 7.0. Is that issued being taken care of?

A: We don't have any known issue with disk IOs. As a lot of these issues could be specific to environments, please open a SR and have us take a look at it.

 

Q: How do I open a support ticket to look at our I/O issue?

A: Please contact McAfee Gold or Platinum support, if you have an active support contract.

Gold - 800.937.2237 

Platinum - 866.452.9443

 

Q: we have a few systems that that has residual HIPS 7 showing in the registry and this is effecting the VPN. currently unable to remove the registry. Currently working Platinum to resolve.

A: Yes, this is a known issue with trying to remove the MFEFIREHKMP registry keys. You will need to reset Ownership of the regkey, then reset the permissions on the regkey, in order for it to be deleted. We are working with Microsoft on a solution for this. Your assigned tech should be able to explain this more in detail.

 

Q: blank mac address occurring with HIPS 8 installation.

A: Please make sure you are using the latest HIPS 8.0 P2 installer. If you continue to have this issue, please contact McAfee Support.

 

Q: We noticed within a DoD environment that, when using ldap sigs, RegEx *.exe does not work. We must use the actual executable name, like cmd.exe for example. (we only see this with sigs 6010 and 6011)

A: Please open a Service Request. I have not seen this issue and we'd like to investigate it further. Wildcards should work with HIPS policies.

 

Q: Will VSE and HIPS be integrated? If so, when?

A: This will need to be addressed by our HIPS Product Manager. Please contact your Sales Rep or Support Account Manager for details.

 

Q: Why are TrustedSource domain name ratings not used?

A: HIPS rates IP addresses only using TrustedSource. See: KB74925 - TrustedSource functionality for Host Intrusion Prevention 8.0

Please submit a PER (see KB60021) if you'd like to see this added to the product in the future.

 

Q: we are already tuned at hips 7 for firewall, ips and app blocking. can we just migrate policies and upgrade without further tuning?

A: Further tuning will be required, since there are architectural changes between the two product versions (like the loopback address issue (KB71230).  Your policies should be migrated and tested in your environment, then adjust the policies as needed.

 

Q: when migrating policies from 7 to 8, do application blocking policies migrate?

A: They do migrate, but there are some limitations. Please refer to the HIPS 8.0 installation guide. PD22891, Page 30.

 

Q: ok also, i see clean install is recommended. that might not be possible to upgrade 80K endpionts from a software mgmt tool. is upgrade supported?

A: Upgrade is supported, yes.

 

Q: which vpn clients have issues with HIPS 8?

A: We don't track a list of VPN we've seen issues with in support. It is not us but a industry wide practice. KB70119 lists all the VPNs that we've tested in QA. Open a Service Request if you have an issue with a specific VPN.

 

Q: are there known issues with HIPS 8 with vpn or voip applications

A: We have found issues with some of the VPN clients (e.g., KB75364, KB70140). Please open a SR if you are experiencing an issue with a VPN client (see KB70119). No known issues with VoIP.

 

Q: Which way is better for implementation of HIPS ? through epo or standalone using third party tool

A: ePO is easier, due to not having to deal with the HIPS self-protection. 3rd party can be used, but requires a few more steps.

 

Q: will HIPS 8.0 work on windows xp?

A: Windows XP is supported for HIPS 8.0. KB70778 - Supported environments for Host Intrusion Prevention 8.0

 

Q: Will this webinar be made aviaible for download?

A: On the HIPS Community. https://community.mcafee.com/community/business/system/hip

 

Q: will you send the HIP 8.0 presentation with the audience?, I think this is really helpful to discuss it with our IT management

A: The presentation and recording plus Q&A will be available on the McAfee HIPS Community.

 

Q: Is there a way to show how effective IPS is being in our enviroment?

A: You can review the IPS events, generated by your clients, in the ePO console.  From there, you can see what signatures are triggering, and make IPS exceptions where needed.

 

Q: Most of the HIPS functionalities are Windows oriented, are there some BKMs for Linux implementations?

A: The HIPS non-Windows platforms (Solaris & Linux) provide Host IPS functionality only (no Network IPS or Firewall functionality).  Most Windows documentation for this should apply to Linux & Solaris as well.

 

Q: My ePO is purely HIPS 8, there is no 7 installed as we moved to ePO 4.6 by creating a new server instead of upgrading. It appears that if I install HIPS8 outside of ePO using the integrated Patch 2, this problem occurs. I plan to try another machine by deploying HIPS from ePO then allow the patch to install.

A: You may need contact McAfee Support for assistance.  I would recommend installing the Patch 2 + Hotfix 803520, and verify if IPS or Firewall is causing an issue (see KB54960 for troubleshooting).

 

Q: various vendors' wifis cause drop offs. are there any fixes for this?

A: You may need contact McAfee Support for assistance.  There could be policy configuration issues here (IPS Startup Protection, Firewall Rules, etc.).  I would first recommend making sure you are running latest HIPS code (Patch 2 + Hotfix 803520) and then troubleshooting using KB54960.  If you can identify what functionality in HIPS is causing this issue, then we can debug it further.

 

Q: We are having a issue that is similar to the NDIS issue when reinstalling HIPS 8.0p2 on XP and Win7 where remnants remain after the unistall. The suggestion so far is to use the McAfee Ripper tool, but that is not feasible on a large network. Is there any relief for this?

A: This a known issue, expected to be addressed in Patch 4.  In the mean time, the HIPS Ripper tool (and instructions from KB77696) should help with cleaning up.

 

Q: what happens if the machine is not on 7.0 P9?

A: Upgrading from HIPS 7.0 (non-Patch 9) to HIPS 8.0, but you might encounter issues (like a BSOD issue) that are resolved by the Patch 9 version.  Please test this in your environment first.  If you encounter any issues, apply HIPS 7.0 Patch 9, and reattempt the upgrade).

 

Q: what is the policy comparison feature in the HIP 8.0

A: This is a new ePO 5.0 feature, that allows policies to be compared. Only works with the HIPS 8.0.3.701 extension.

 

Q: How does the Policy comparison feature works ?

A: Please see Page 182 of the ePO 5.0 Product Guide.  PD24350 - ePolicy Orchestrator 5.0 Product Guide

 

Q: What sort of default HIPS and Firewall policies are included in the HIPS 8.0 offline installer? Curious what protection is offered until the system checks in to the ePO server

A: Both the FW and the IPS modules are disabled by default until the Host IPS client checks into ePO and pulls in its policy.

 

 

Q: A quick explanation what the new DNS blocking is used for?

A: DNS Blocking can be used to block traffic to domains that you specify.  It can block traffic by caching the DNS results that the Windows OS gathers (i.e., block traffic to *.youtube.com), however, it’s not intended to be full web-content filtering/classification solution.

 

Q: what's the drawback of implementing startup protection? Is it purely performance?

 

 

A: There have been some issues discovered with IPS Startup Protection (KB71456, KB75275, KB54778).  For some of these issues, please make sure you are running the latest HIPS Content available (http://www.mcafee.com/us/content-release-notes/host-intrusion-prevention/index.a spx)