Webinar Questions ("Host IPS and ePO Best Practices", May 14) FINAL

Version 5

    PLEASE ASKED ADDITIONAL QUESTIONS IN THE DISCUSSION AREA

     

    Q: its there a way to update hips client manually?

    Yes, you can run the patch locally on the system. You just need to make sure to disable the HIPS module before running the installer.

     

     

    Q: can we export the subnets and run thru TrustedSource or Other reputation site?

    There is no such functionality with HIP at this time.  You could submit a Product Enhancement Request for this feature.  Similarily, requests made from specified trusted networks, do not have associated Trusted Source lookups performed.

     

     

    Q: With respect to training... about the product overall. I have the software installed on EPO, and have it on a number of test systems, but fine tuning the product to something useful is extremely difficult........

    Best Practices for Installing, Configuring and Tuning Host Intrusion Prevention 8.0 (KB70877)  and FAQs for Host Intrusion Prevention 8.0 (KB73399) .  We also have McAfee Expert Services available for onsite training and consultation.  Contact support or sales for further assistance on scheduling a consultant.

     

     

     

     

    Q: do HIPS events get stored in the "events" SQL table?  or is it a different table?

    They span a number of tables.

     

     

    Q: how to purge a long database?

    How to purge the ePO 4.x database of events to reduce the size of the database (KB55503)  and How to remove old events and shrink the ePolicy Orchestrator 4.5 / 4.6 database (KB68961)

     

     

    Q: please respond me, my database is full. how purge a long database?

    I would recommend reviewing "Recommended maintenance plan for ePO 4.x database using SQL Server Management Studio" (KB67184).  If your DB has not been maintained for a long period of time.  I would recommend doing a full backup, then scheduling your mainenance tasks during the weekend during periods of low user activity on the ePO server.

     

     

    Q: I have a about 15 mobile devices with the Firewall turned on in Learn Mode.  How can I review the rules it's learned and then make adjustments to lock it down? 

    Check your ePO for the client side rules sent from your remote laptops. You can add these client side rules to your policy and push out the policy to the remote systems.

     

     

    Q: If I have the connection aware group with DNS / DHCP / DNS server IP added then do I need to have added IP subnets in trusted network.

    No. You don't.

     

     

    Q: Is it possible to clear out all the adaptive mode information across all systems at once?

    Yes. You can uncheck retain client side rules in ePO and push it out the clients. After the next policy enforcement, it will clean up the client rules from your ePO. We highly recommend not to do all systems at once and do it in segments.

     

     

    Q: is it possible to have the file of this webinar at the end

    Yes, the slide deck and Webinar recoirding will be posted on McAfee Communities afterwards.  https://community.mcafee.com/community/business/system/hip

     

     

    Q: to configure hips is very hard. what's the best way to implement it easily

    Please refer to Adopting Host Intrusion Prevention - Best practices for quick success (PD20796) and FAQs for Host Intrusion Prevention 8.0 (KB73399)

     

     

    Q: is there a query provided to write the potential purged records to a file?

    No, there is no specific script provided.  However, you could create your own.  Refer to "How to purge events and reduce the ePO 4.x database using OSQL commands" (KB51873)

     

     

    Q: Is there tool (other than netstat) from McAfee to collect Incoming traffic to host before implement HIP?

    You can use wireshark or rawCap to capture the traffic on the system.

     

     

    Q: Once you Aggregate, whats hte best way to update that rule now created?

    You aggregate events for viewing only. Policies aren't aggegated into a single policy.

     

     

    Q: Please Respond my query..Shall we protect windows vulnarability through HIPS? or how can we protect EPO vulnarability through HIPS?

    HIPS protect you against Windows vulnerabilities. If you have it installed on ePO, it will also protect your ePO server.

     

     

    Q: Shall we protect windows vulnarability through HIPS?

    Host IPS protection is designed to cover zero-day protection and allow customers to schedule security updates and patches.  Host IPS does not replace the need to apply security updates and product patches on a regular basis.

     

     

    Q: Is it possible to use a TAG to apply an Adaptive Mode HIPS policy to a test group of machines?

    You can push out a policy to tagged agents.

     

     

    Q: should the previous content be stored in the previous branch

    It depends on your content deployment policy. Some customers like to put the new content in eval first and then move to the current branch.

     

     

    Q: do you have to look up the event 3700 some where else.... 3700 isn't very descriptive

    Signature 3700 is the TCP Port Scan, IPS signature trigger.

     

     

    Q: should the previous content be stored in the previous branch

    Each customer is different. I would suggest the last month content remediation in the Previous, The content cannot actually be downgraded, so a remediation is used to set it to the last month's content. KB53092.  This month's content in the Current and the Next month's in the evaluation. 

     

     

    Q: With location aware groups, how do you confirm that this has matched on the local system? i.e. the rule is in effect. 

    Please refer to Troubleshooting Host Intrusion Prevention Connection Aware Groups (KB65560)

     

     

    Q: ePO Reachability - Does this include being able to commicate with Agent Handlers?

    Yes, this should include the ePO server(s) which that system is currently configured to obtain their policies from.

     

     

    Q: We have our server running this task weekly purging anything older than 30 days. I believe this is due to management moving logs to qlogic. would that cause any issues ?

    This sounds like a reasonable weekly maintenance task.

     

     

    Q: What are the wildcard values for IPS exceptions? Is leaving a field blank (like the fingerprint hash)considered all values?

    Wildcards for firewall rules are referred to on page 42 of the HIP 8.0 Product Guide.  Wild cards for IPS signatures and exceptions (same usage) are outlined in Appendix A- Writing Custom Signatures and Exceptions, of the HIP 8.0 product guide.

     

     

    Q: Why just monthly on patch tuesday then?

    McAfee is on a pre-release vendor list with Microsoft and other security vendors.  Signature updates are aligned with Microsoft Patch Tuesday (2nd Tuesday of the month).  Because of the large number of Windows systems worldwide, Patch Tuesday has become the defacto standard date for monthly security update releases.

     

     

    Q: What protection updates are included in host IPS?  Just Microsoft?

    Targeted signature security updates are posted monthly in conjunction with Microsoft Patch Tuesday (2nd Tuesday of the month).  Most are Windows signatures.  However, Solaris and Linux based signatures are also updated as security vulnerabilities are announced.  http://www.mcafee.com/us/content-release-notes/host-intrusion-prevention/

     

     

    Q: what does(depricated) mean?

    Depricated = disabled or removed as functionality becomes obsolete.

     

     

    Q: What is a sensfull the Maximum of Clients in Adaptive Mode? 10, 100, 1000, more possible?

    I would limit adaptive mode to short periods of tuning only, on limited pilot groups of 5- 19 users.

     

     

    Q: What is a sensfull the Maximum of Clients in Adaptive Mode? 10, 100, 1000, more possible?

    I would limit adaptive mode to short periods of tuning only, on pilot groups of 5-10 users.

     

     

    Q: What is a sensfull the Maximum of Clients in Adaptive Mode? 10, 100, 1000, more possible?

    Adaptive should be used conservatively. The idea is to start out with a good set of predesigned rules and sparsely leverage Adaptive to fill in the gaps with the rules missed out in the design. Client side rules can rather grow fast and get out of hand if not promptly added to policies. 

     

     

    Q: When running HIPS 8 in adaptive mode for tuning, I see many firewall client rules but no IPS client rules. Is this normal?

    Do you have Adaptive enabled for the Host IPS module as well?

     

     

    Q: Why do VirusScan events show up in the HIPS events report? It takes a long time to generate the report.

    You should be able to use event filtering to specify the events you need on your report.  I cannot comment further without seeing your specific report.  You can also refer to "KB65559 - List of the McAfee Host Intrusion Prevention 7.0 / 8.0 events supported by ePO 4.x"

     

     

    Q: On the master repo task, on the branch option, will only that branch be updated?  In other words, do you need to create a task for the current branch and others?

    ePolicy Orchestrator provides three repository branches, allowing you to maintain three versions of all packages in your master and distributed repositories. The repository branches are Current, Previous, and Evaluation. By default, ePolicy Orchestrator uses only the Current branch. You can specify branches when adding packages to your master repository. You can also specify branches when running or scheduling update and deployment tasks to distribute different versions to different parts of your network.  Update tasks can retrieve updates from any branch of the repository, but deployment tasks use the Current branch only.

     

     

    Q: Why does creation of an exception take so long ? In my case it's often minutes :-(

    How are you creating your exceptions? Is it of a security event or are you seeing issue when creating a new exception?

     

     

    Q: You can also manually download the HIPS content from the McAfee site. There's a KB for that...

    KB66449

     

     

    Q: when did hips extension 8.0.3.701 come out?

        This was announced on March 26, 2013.

     

     

    Q: Why is the recommended time in adaptive mode 3 weeks? 

    1 to 3 weeks would be reasonable on limited number of systems  i.e.) pilot groups of 5-10 users only.

     

     

    Q: Can you continue this series of webinars I have the product deployed but I know so little about using it and tuning it. It is an untapped resource for me!! HELP!!!

    Q: What kind of training is available for HIPS?  I wish I could sit down with an expert for a few hours to understand this product better.

    We have two recommendations for you:

    1. Participate in the McAfee Host IPS Community @ https://community.mcafee.com/community/business/system/hip. You can also access the recordings of other recent HIPS webinars and see the FAQs.
    2. Talk to your Sales rep about customer training program for HIPS.

     

     

     

     

    Q: can you move a rule from one firewall ruleset to a different firewall rule set?

        Yes, you can save and add firewall rules from the Host IPS 8.0 policy object catalog.

    Q: Can you show us how to configure location aware rule groups in the firewall?  Specifically a rule group that will only apply to a server with a specific IP address?

    If you are configuring a Location Aware Group, you will need to specify criteria to for that group to match.

    Refer to page 59 in product guide.

    Otherwise, you can just configure a firewall rule group within the FW policy.

    Refer to the “Network Options” tab when defining the Firewall Group.   Under “Network Name”, select New (Local),  – click “Add IP Address” and define a single IP address.

    You can also refer to Troubleshooting Host Intrusion Prevention Connection Aware Groups (KB65560)

     

    Q: Can you show where adaptive mode is set?

        Adaptive mode is set under the Firewall Options policy.

    Q: Do you plan to native allow Loopback traffic (ref : KB71230)?

        An “Allow Loopback” rule has been added to the default firewall rules policy. If you are using migrated firewall policies from HIP 7.0, you will need to manually add a firewall rule for the local loopback adapter.

    Q: from where can get the detail of HIPS extension version?

        Go to Menu | Software | Extensions in the ePolicy Orchestrator console to view extension details for Host Intrusion Prevention. 

    Q: Will updating the extension override the current policy?

        You should not lose current 7.0 or 8.0 policy assignments when checking in a newer HIP 8.0 extension.

     

    Q: Can you explain what the purpose of the Catalog.  Can you expound on the subject?

       The Host IPS catalog simplifies rule creation by allowing you to add existing rules, groups, network

    options, applications, executables, and locations from the catalog to new and existing firewall

    rules and groups. It also allows the addition of these elements to the catalog either on an

    item-by-item basis or by batch process.  Refer to page 58 ini the HIP 8.0 Product Guide for further information.

     

    Q: How do you disable Application blocking only now that it is part of the firewall?

        Application Blocking is covered by IPS signatures 6010 and 6011.  These are disabled by default in 8.0.  Please refer to page 22 of the HIP 8.0 product guide for further information on Application Blocking policy migration.

     

    Q: how do you handle the hips7 event with hips8? i have that exact problem as it fails when i create the exception?

        Network IPS signature trigger exceptions are supported in HIP 8.0.

     

    Q: should the software manager show extension updates?

        Yes, the software manager

    Q: WHen I go to HIPS 8.0 Reporting container and say show all groups, mine errors out

        Contact your support representative for assistance.

    Q: If you are still on HIPS 7, is the newest extension going to affect what you currently have installed? We do not want to be required to upgrade once we have put new extensions in place.

        The newest Host IPS 7.0 extension is 7.0.5.106

    Q: Can HIPS 7 and HIPS 8 be installed in the master repository on the same branch?

        Policy assignments for HIP 7.0 and HIP 8.0 would be unique and could be assigned on the same ePO system tree branch.

    Q: in adaptive mode, we only can log all of the out going traffic and add to the future rules, what about incoming traffic?

        Adaptive rules should be create for outgoing or incoming traffic.

    Q: Is EPO 5.0 only for 64 bit?

        Please refer to KB51569 for ePO 5.0 supported environments.

    Q: When we installed hips extension 8.0.3.701, it installed, but logged us out.. is this normal behavior? It does appear 3 extension components are installed intact, but is there anyway to confirm this?

        Yes, this is a kjown ePolicy Orchestrator issue when installing extensions.

    Q: Can the 8.0.3.701 extension be checked in even though we are on HIPS 8 Patch1 ?

        Yes

    Q: When will a Windows 8 version be available?

        Windows 8 and Server 2012 support has been added in HIP 8.0 Patch 3, currently in Managed Release.  We expect RTW in June 2013.  Contact your McAfee support engineer to request the RTS version of HIP 8.0 Patch 3.

     

    Q: Is the Host IPS Catalog used for ips only too rather than the firewall

        Mostly for Firewall, though IPS Application Protections rules and Trusted Applications can also be specified..

    Firewall Firewall Rules Firewall Rule

    Firewall Firewall Rules Firewall Group

    Firewall Firewall Rules Firewall Group Location

    Firewall Firewall Rules Firewall Rule/Group Network

    Firewall Firewall Rules Firewall Rule/Group Application

    Firewall Firewall Rules Firewall Rule/Group Application Executable

    IPS IPS Rules Application Protection Rule Executable

    General Trusted Applications Trusted Application Executable

     

    Q: is the purge still delete * from table?  or is it more efficient in the new version?

        ***

    Q: Shall we protect windows vulnerability through HIPS? or how can we protect EPO vulnerability through HIPS?

        Not sure what is meant by this.  HIP protects vulnerabilitied for Windows, Linux and Solaris operating systems.  If there is a specific ePolicy Orchestrator vulnerability, please escalate a service request to check on the latest status for a vulnerability fix.  Depending on the specific ePO vulnerability, you may be able to leverage IPS custom signature protection as additional protection.

    Q: HIPS protect Application Vulnarabilities also?

        Yes, Host IPS will provide endpoint systems layered protection against vulnerabilities.

     

    Q: Purge of Threat Event has not increased the database space. Why?

        You will need to compact the database on a regular basis.  Refer to KB67184 for Recommended maintenance plan for ePO 4.x database using SQL Server Management Studio.

     

    Q: Regarding IPS signatures, what is that best way to provide management with current Metrics to show value?

        Run Host IPS reports on a regular basis. 

    Q: do events ids like 3700 have a real description?  Not understanding the type of event and how this event ID relates to it.

        Signature 3700 is a network IPS signature - TCP Port Scan

    Q: Software manager seems to list currently HIP8 extension version 563 as a newest?

        Software Manager should be listing HIP 8.0.3.701 Management Extension as the newest version available.

     

    Q: Sometimes the creation of an event fails without giving any error. It has a very low chance of happening though and I didn't see it anymore since the latest HIPS patch

        Most of the advanced details for event information are obtained from operating system API calls.  If the information is not available, it is because the operating system did not know either.

    Q: Could you please define a large enough environment?

        Refer to PD23282 for ePO hardware sizing and bandwidth information.

    Q: If you get a signature trigger how do you determine if it is good or bad. For example the medium visual 2005 trigger from outlook. It happens when users try to change their signature. How do you determine if an event is good or bad?

        Refer to IPS Signature Events in the HIP FAQ, KB73399 for guidelines.

    Q: When is EOL for HIPS 7.0? We were told it is March 2014?

        Currently, HIP 7.0 is expected to EOL in June 2014.

     

     

    Q: I logged in with my grant to download the latest extenstion but i recieve an error from mcafee site

        Refer to KB56057 to download McAfee software and updates.  If you have a specific issue with a valid grant#, please contact your McAfee support representative.

     

    Q: can you feed the purged threat data to an ePO server withou any active users, and have the full dataset available for reports?

        This has not been tested with ePolicy Orchestor.

     

    Q: Can you just install the extension, or do you have to update all the software associated with 8.0?

        Yes, you can install the Host IPS 8.0 extension without deploying the updated 8.0 package to client systems.  This may be most commonly done when testing initial policy migrations from 7.0 to 8.0 using the Host IPS 8.0 extension policy migrator.

    Q: what determines a hotfix verses a patch for hips?  this sometimes adds to the confusion of keeping up to date.

        Please refer to KB51560 for service pack, patch and hotfix definitions and ratings.

    Q: What does(depricated) at the end of a field name mean?

        Deprecated means the functionality has been phased out, disabled or determined to be obsolete or no longer required.

    Q: Will a long exception (IP) in the Firewall rule slow down the Processing?

        On a relative level, there are always processing impacts as policy size and complexity increases.  McAfee does not publish stated threshold maximums for policy objects.  We recommend customers evaluate what policy configurations are requires in their environments and test accordingly.

    Q: What is the recommended way to block all workstation-to-workstation communication (I.e., RDP, SMB, etc.)?

        Workstation firewall policies should be appropriate for the specific environment it is operating in.  Basically, the firewall will need to include appropriate rules to allow all required outbound communication.  All other requests can be blocked.

    Q: When is version HIPS 8.0 Patch 3  (with HF 803520 rolled in) being released?

        Patch 3 will install only on Windows 8 and Server 2012 systems.  This includes prior code changes which were released in HF803520.  There is no full repost package being planned for the other Windows operating systems.  The next Windows full repost package for all Windows operating systems (Patch 4) is expected to release in late Q3 2013.

    Q: What was the latest Host IPS extension for HIPS 7?

        HIP 7.0.5.106 is the most current extension version for 7.0.

    Q: if a rule is created in adaptive mode and we in turn create the rule from the aggregate mode will one over rule the other or clean itself up?  or will we have to clean this as we go along?

        Adaptive mode client learned rules should be applied to a tuning policy.  That policy should then be run on the client system.  If the policy rule was specific, there could be similar new rules learned with different port numbers etc.

    Customers will need to tune their final rules to cover all the required ports, services and protocols etc. before adaptive mode is turned off.

    Q: what added features do the 701 give over the 563?

        Primarily, Host IPS 8.0.3.701 extension update offers support for ePolicy Orchestrator 5.0.  the extension release notes can be found in KB77854.

    Q: when we check in the current version can the older version still be loaded into previous version?

        Yes, you can check in a client package to any or all of the ePO repository branches.

    Q: When exporting policies and firewall rules is there tools to view the XML export that makes it more readable?

        There may be 3rd party xml tools available, but McAfee does not recommend, test or validate with any specific 3rd party tool(s).

    Q: when is firewall rule schedule needed and why?

       Enable timed firewall groups for a set amount of time to allow non-network access to the Internet before rules

    restricting access are applied. Each time you select this command, you reset the time for the groups.

    General connection rules allow the set-up of a timed account at the hotel to gain internet access.

    The VPN connection rules allow connection and use of the VPN tunnel. After the tunnel is

    established, the VPN client creates a virtual adapter that matches the criteria of the VPN group.

    The only traffic the firewall allows is inside the VPN tunnel and the basic traffic on the actual

    adapter. Attempts by other hotel guests to access the computer over the network, either wired

    or wireless, are blocked.  Refer to page 58 in the HIP 8.0 product guide for further information.

     

    Q: How do we analyze rules for svchost or system.exe? They seem very generic. Should we ignore these?

       Refer to IPS Signature Events in the HIP FAQ, KB73399 for guidelines.

    Q: When should you remove old extensions?

        You can only have one management extension for each product.  A newer 8.0 extension will replace an older one.  You can have a HIP 7.0 and HIP 8.0 extension both checked into ePO.

    Q: When will the Extension for HIPS be added to the Software Manager to show it is out of date?

        A newer extension version should be displayed when it has been released to the world and posted into the public McAfee Software Manager Repository.

    Q: Where in the dashboard can you see the IPS extension version?

        You cannot query extension versions for a dashboard monitor.  To view extension version, go to Menu | Software | Extensions in the ePolicy Orchestrator console to view extension details for Host Intrusion Prevention.

    Q: why are all the check boxes enabled ? (media types)

        By default only.  Select only those appropriate for your location aware group.

    Q: Is HIPS 8.0 working with Juniper SSL client v7.3 ?

        Refer to KB70119 for verified VPN list when 8.0 was released.

    Q: why does it appear that when you have in/out rules you have to put the in separate rules?

        You can create separate in/out rules or for “either” direction.  Also, inbound rule requirments can be reduced by taking advantage of outbound rules and the stateful firewall feature which will track outbound requests and allow the corresponding inbound return traffic.

    Q: Is there an implicit deny at the bottom of the FW ruleset?

    Yes.

    Q: do predefined rules get updated from mcafee?

        Monthly Firewall rule policy updates are not provided for McAfee default policies.

    Q: Will there be a feature enhancement to determine if you can check for updates for both patches and extensions from wthin the console?

        This is a good Product Enhancement Request.  This is not planned in foreseeable releases.