In need of some help here from you HIPS 8 guru's.
I need to allow a Juniper SSL VPN client to run on multiple computers for multiple users (i.e. multiple users loggin in with different profiles). I've created every exception under the sun to allow the junipersetupclient.exe to run within HIPS 8 Trusted Applications and within the Exceptions in the IPS. I have the "trust for IPS and FW" option checked.
The specific block error is:
Description: Juniper Setup Client (JuniperSetupClient.exe)
Path: C:\USERS\TAYLOGF\APPDATA\ROAMING\JUNIPER NETWORKS\SETUP CLIENT\JUNIPERSETUPCLIENT.EXE
Message: Attack type: IE Envelope - Abnormal Program Execution (Sig Id = 2640)
The exception I've created includes the Sig Id of 2640.
The executable path contains C:\USERS\*\APPDATA\ROAMING\JUNIPER NETWORKS\SETUP CLIENT\JUNIPERSETUPCLIENT.EXE
I've had to use the wild card * for the user's profile name as this exception will need to be applied to more than one user. I've also used ** in place of the one * just to see if that works, and yet the HIPS UI on the client laptop still blocks the executable from running and installing.
I've included None as the Signer.
For the Parameters, I added the domain\Domain Users group as multiple users will need to install this executable on their laptops to access our network remotely.
I've pretty much created every Exception I can think of yet this executable is still getting blocked? I've created it in HIPS 8 and in HIPS7 (just as a test to see if it works) basically have created this exception in every policy you can think of.
Any advice is greatly appreciated.
You'll need to compare the signature violation (from the ePO console) to the IPS exception you created. Usually the IPS exception doesn't work due to some details in the IPS exception that are too specific or incorrect.
If you want to post details, I can review it,; if not, please contact McAfee Support to open a Service Request to have it reviewed.
McAfeeFireLog.txt does not have all the details of the violation. Pull the violation details from the Hipshield.log file, or the ePO console. These will list FULL details of the signature violation event, not just a summary of the event.