Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Currently Being Moderated

Webinar Questions ("Host IPS Client Troubleshooting", May 16) FINAL

VERSION 7  Click to view document history
Created on: May 16, 2013 6:35 PM by ccoldren - Last Modified:  May 21, 2013 8:43 PM by ccoldren

Q:   What means BSOD?
       
Blue Screen of Death (BSOD)

Q:   What is windows API?
API = Application Programming Interface.  These are protocols that are used by developers to create software.

Q:   Is there any troubleshooting document links? Do you have any documentation where these deeper topics are handled (whitepaper, KB articles, ...)?
• KB76609 — Best Practices for Host Intrusion Prevention 7.0 to 8.0 Upgrades
• KB73399 — FAQs for Host Intrusion Prevention 8.0
• KB70760 — Host Intrusion Prevention 8.0 - Master list of release support articles
• KB70877 — Best Practices for Installing, Configuring and Tuning Host Intrusion Prevention 8.0
• KB67561 — Host Intrusion Prevention 8.0 / 7.x signature events tuning
• KB70778 — Supported environments for Host Intrusion Prevention 8.0
• KB70725 — Host Intrusion Prevention 8.0 patch and hotfix version information (Master)
• KB75672 — McAfee product support for Microsoft Windows 8
• KB74925 — TrustedSource functionality for Host Intrusion Prevention 8.0 Troubleshooting
• KB72869 — How to enable Host Intrusion Prevention 7.0/8.0 debug logging
• KB54960 — How to isolate a suspect component in Host IPS
• KB72868 — How to collect ETL logs for Host Intrusion Prevention 8.0 for Windows
• KB67056 — Third-party application stops working or is impaired after McAfee Host Intrusion Prevention is in

Q:   can one keep the firewall on windows disabled ,while keeping the IPS up and running
Yes, the Host IPS and Host IPS Firewall can be used separately. 

Q:   Sometimes the HIPS process itself starts consuming huge amount of memory or slows the machine. How to deal with it ?
Please open a McAfee Support service request, as this will need to be researched.

Q:   I've the MER logs file. how to analyis those logs?
The MER tool collects a snap shot of a running system, and the McAfee log files.

Q:   how to get the dump file of the process? 
It depends on the O/S.  If you are using Windows 7, it is as simple as running Task Manager > Right-Click on the process > Dump the process.

Q:   What is the process for procuring the clientcontrol.exe utility?
The clientcontrol.exe is included with the Host IPS 8.0 software.  The clientcontrol.exe for Host IPS 7.0 is on the McAfee download site.

Q:   So if there is a memory leak, would we put an exception in for it?
Never.  A memory leak is a code error and must be fixed by a developer.

Q:   Is there a way to exclude a source IP from generating any triggers in HIPS like a vulnerability scanner IP?  If so, where would you put it?  When our vuln scanner runs it triggers an extreme amount of IP is there a way to not generate an large amount of logs triggering?
Yes, you can create a 'Trusted Network' and mark that IP Address Trusted for IPS.

Q:   Is there a size limit to the log files or a recommended size limit?
This can be configured using the Host IPS policy from ePO Server.  Typically I see users set limits up to 100MB+  This is user configuration, and McAfee does not have a recommended setting.

Q:   If HIPS is disabled on a system but firewall driver is loaded how do you disable it to eliminate HIPS as an issue without removing HIPS?
The Host IPS driver can be put into a 'Pass Through' mode without uninstalling the software.

Q:   The Host IPS driver can be put into a 'Pass Through' mode without uninstalling the software how do you do that?
Please review this link: https://kc.mcafee.com/corporate/index?page=content&id=PD23014

Q:   I see alot of time when with HIPS 8 a lot of API calls that the call gets blocked.  Should we allow on a individual bases after evaluation?
After reviewing the Host IPS signature trigger details, and finding that this is a trusted process.  Then you would create an Host IPS exclusion for that signature trigger.

Q:   How were the HIPS Engine elements seen on the previous slide be disabled? Is there a specific tool or was this in the policy?
The Host IPS 'Engines' can be disabled using the ePO Server Host IPS policy in the 'Troubleshooting' tab in the 'General' Host IPS policy.

Q:   Does MER pull the HIPS related config data?
Yes, the MER does pull this data.

Q:   do you have a document that explain better how to correctly set HIPS and IPS from the ePO? Actually we have HIPS firewall rules set with CAGs and IPS still in adaptive mode
One source:  PD22894 — Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

Q:   Could you explain teh difference between HIPS and IPS?
IPS = Intrusion Prevention System.  A Host IPS is a software that runs on the local system.  IPS systems also can be network applicances that protect the border gateways and local subnets.

Q:   are there any webinar plan for EEPC?
It's on the radar screen; announcements will be made on the Community and in the SNS Journal.

Q:   how can we get to the screen you showed where we can disable or enable particular engines?
Two methods.  The best choice is to Enable/Disable the Host IPS engines via the ePO Server Host IPS policy.  Host IPS General > Troubleshooting Tab   You can also enable/disable the Host IPS engines from the Host IPS Console.  Help > Troubleshooting

Q:   Does HIPS hook itself to all system process? if not, how HIPS decide to hook itself to a process.
This is an option with the Host IPS policy, and is enabled using ePO Server.  Host IPS IPS > IPS Options > 'Automatically include network-facing and service-based applications in the application protection list'.

Q:   Do you plan to host a session on PFW troubleshooting  in this series?
We are planning new presentations all the time. I'll put this topic on the list of the proposed webinars

Q:   Do you know when a Windows 8 version will be available?
Windows 8 and Server 2012 will be supported with the Host IPS 8.0 Patch 3 release.  Please review https://kc.mcafee.com/corporate/index?page=content&id=KB76650

Q:   Can you explain the difference between creating an application protection 'exclude' rule and creating an exception?
An 'Application Protection Rule' is a list of applications that will be hooked or excluded from hooking by the Host IPS software.   An exclusion is an exception to a Host IPS signature trigger.

Q:   Do you also have some best practises for HIPS for servers? Would this be a possible topic for another webinar?
Interesting -- thank you for the idea. we will add that to the topic list.

Q:   Does disable HIP, unloads drivers for network?
No, the drivers will not be unloaded.

Q:   Can you send out the links to the training workshops? 
yes we will!

 

Q:   How do you open the hooking console?
HIPS doesn’t have a feature or a view called hooking console. The view shown in the presentation was from a utility called Process Explorer freely downloadable from Microsoft’s website. http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Q:   could you please explain to investigate longon delay issues on HIPS client?
Identify the exact stage of the logon sequence you are expiring the latency. Collect a full system dump and a MER output and open a case with McAfee support.

Q:   Long Long issue - with HIPS we observed 0-3+ minutes delay, without HISP it just takes 10-20 secs
Identify the process experiencing the latency.  Collect a full system dump and a MER output and open a case with McAfee support.

Q:   When first starting to deploy HIPS to a pilot group of machines, which engines do you recommend we enable first?
Deploy with all the Engines enabled. The disabling of engines are only utilized for component isolation when experiencing an issue.

Q:   I have observed slow response while I unlock to disable HIPS module. After installing HIPS 8 P2 the MA stops commincating with EPO.
Please open a SR with McAfee support to investigate it further.

Q:   can you explain more about Adaptive mode of HIPS
In Adaptive mode, the HIPS client automatically creates rules for the events that would be blocked otherwise. For the Host IPS module, if the setting “Automatically Create client side rules” is enabled for a signature, the HIPS client generates a client-side rule anytime a Security Event is triggered for the signature and send it to ePO. This allows you to create an exception and add it to your policy if needed. The Adaptive mode for the firewall module when enabled creates a firewall rule if it doesn’t find a rule for a traffic instead of blocking it with an implicit block. You can read the details in the HIPS 8 Product Guide. Just search for the word “Adaptive Mode”

Q:   How should we troubleshoot On Access Protection in this matter since HIPS and OAP is integrated? Is there anything special to cover while troubleshooting both?
You have to troubleshoot each individually. Disable one at a time and see if the issue goes away and troubleshoot accordingly.

Q:   how HIPS and IPS cooperate on a machine with McAfee Host Intrusion Prevention installed?
We are not following your question. Can you be more specific about what do you mean by IPS?

Q:   Can you explain how the McAfee Validation Trust Protection Service integrates with HIPS
It validates access to HIPS kernel drivers and components.

Q:   can mcafee profiler be used to troubleshoot HIPS?
No. The functionality is not available with McAfee Profiler.

Q:   Can McAfee debug the kernal dump?
Yes. However, HIPS engineering prefers a full system and might need to request it if a kernel dump wouldn’t be adequate for analysis.

Q:   Anyone encounters content 4933 issue? It just does not show up in hip 8 content column after the DAT update.
Please run a property translator task. Open a case with McAfee support if you the issue still persists.

Q:   You told us earlier that we have to think of hooking as user mode hooking, so kernel mode hooking is simply to overview if what's being triggered in user mode is not doing anything it shouldn't do then ?
What was said that you can assume that “Processes” are operating in user-mode to simplify the problem for triaging Host IPS issues. Host IPS actually hooks in both user-mode and in the kernel.

Q:   to tell the difference from what the process is doing and what it should be doing, don't we need to analyse memory dumps or use debuging tools? I wouldn't know how to do this with advanced multi-service third party software…
You don’t need to analyze the dump files. You can just observe how the application is expected to operate and compare how does it exactly differ when HIPS is running on the system.  Identify the process name the application runs as and provide the process dump along with the symptoms you are recorded earlier.

Q:   What if the process is a service process?
You’ll treat service just as any other process running on the system when troubleshooting a Host IPS issue.

Q:   Is there a Training for troubleshooting HIPS?
We don’t have a training specifically for HIPS Troubleshooting per-se but do have HIPS Training classes. Please contact your account manager to inquire on existing classes or to request new offerings.

Q:   how to get the dump file of the process?
In Vista and newer Windows versions, you can bring up the task manager, right click on the Process and click on “Create Dump File” to generate a user-mode memory dump file of the process. In the prior versions, there are several freely download tools like DebugDiag and Adplus that lets you do it

Q:   What steps need to take for Process consumption?
Identify the exact symptoms you are seeing with the process, get a process dump and open a case with McAfee support.

Q:   what  are the major difference between HIPS 7.0 and HIPS 8.0
Please see McAfee KB70876 “New features in Host Intrusion Prevention 8.0

Q:   How to troubleshoot issues with HIPS which ends without craches or hangs, but with slow speeds, time-outs, etc where the dumb will not show valuable information
Identify the process you are seeing the issue with. Record the exact symptoms you are seeing with the process, get a process dump and open a case with McAfee support.

Q:   You are mentioning that it may occur some problems using these engines. What kind of problems should we expect with the different engines?
There isn’t really a clear cut way of mapping issues with different engines. You can start out with disabling half the engines and follow along till you zero in on an engine. You can identify an engine with three or four attempts.

Q:   if you un-install HIPS are the hooks still in place?
No. The hookings are removed with the uninstallation of the HIPS client.

Q:   How a process in user mode hooks with a kernel mode process and where HIPS intercept such hooking ?
Host IPS hooks processes for viewing and processing user-mode activities and hooks the OS kernel for system call interception and related processing.

Q:   some words for ROOTkits in kernel mode and HIPS?
Host IPS currently doesn’t have a signature for kernel rootkits.