cancel
Showing results for 
Search instead for 
Did you mean: 
Olu
Level 7
Report Inappropriate Content
Message 1 of 4

Exploit-Prevention Rule is blocking Qualys Scanner

Jump to solution

Hi,

We are currently observing an issue were qualys is getting blocked by ENS exploit prevention rule (Rule ID 3700 (TCP port scan).

We created an exclusion for the Qualys scanner in Exploit prevention policy. Endpoint Security Threat Prevention : Policy Category > Exploit Prevention > 

clipboard_image_0.png

However, we are still receiving network intrusion prevention systems events as per below threat details

Threat Name: ExP:NIPS Violation
Threat Type: Network Intrusion Prevention System
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Exploit Prevention
Analyzer Rule ID: 3700
Analyzer Rule Name: TCP Port Scan
First Action Status: Not available
Second Action Status: Not available
Description: ExP:NIPS Violation Blocked a Network exploit attempt.
Attack Vector Type: Network

 

Do you have a solution regarding why the exclusion is not working as expected?

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Exploit-Prevention Rule is blocking Qualys Scanner

Jump to solution

Also ensure you are running 10.6 as NIPS exclusions aren't supported on previous versions. 

3 Replies
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Exploit-Prevention Rule is blocking Qualys Scanner

Jump to solution

Hi @Olu Per your screenshot, did you specify the Signature number and remote IP address of your Qualys scanner (verify it's the same IP address from the ENS event) as the exclusion?  Your screenshot is blank, so I assume you just posted which type of exclusion rule is used.

If so, verify that same exclusion exists on the ENS client side as well to rule out any policy enforcement issues.  If you don't see the exclusion on the client side, then you're likely having a different problem, as that is the correct NIPS exclusion rule to use for Signature 3700 (or 3701) events.

Highlighted
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Exploit-Prevention Rule is blocking Qualys Scanner

Jump to solution

Also ensure you are running 10.6 as NIPS exclusions aren't supported on previous versions. 

Olu
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Exploit-Prevention Rule is blocking Qualys Scanner

Jump to solution

I upgraded to 10.6.1 and it Works now. thanks.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community