cancel
Showing results for 
Search instead for 
Did you mean: 
KHokie
Level 7
Report Inappropriate Content
Message 1 of 6

Deploying HIPS - ClientControl.exe

We are trying to deploy HIPS 7 with Patch 2 through SMS and are running into issues where the HIPS service will not stop and allow the patch to run. I've read through the McAfee HIPS 7 Product Guide with ePO 4.0 and page 89 refers to the clientcontrol.exe utility for third-party software upgrades. Does McAfee provide a way to secure the admin password if the install is executed through a batch file? I don't have any documentation that accompanies the clientcontrol utility and am not aware of any other options other then running clientcontrol.exe /? from the command line to see the optional switches.

HIPS 7 installs fine through SMS and gets to file version 7.0.0.688.
Our goal is to get HIPS to version 7.0.0.833.
Here is the error from the McAfeeHIP7_Patch.log on the client for Patch 2:
02-12 11:26:18 [03116] INFO: Setting TARGETDIR to C:\Program Files\McAfee\Host Intrusion Prevention\
02-12 11:26:18 [03116] INFO: Stopping enterceptAgent service
02-12 11:26:18 [03116] DEBUG: SI Service want state Not Running(1), service enterceptAgent
02-12 11:26:18 [03116] INFO: Err - Unable to stop enterceptAgent service
02-12 11:26:18 [03116] INFO: -- OnAbort --

Thanks for any help!
5 Replies
bxs
Level 7
Report Inappropriate Content
Message 2 of 6

RE: Deploying HIPS - ClientControl.exe

Unfortunately there isn't away around this that I'm aware of. Companies who use other methods for distributing software (SMS, Altiris, etc) apparently are not too important to McAfee in this regard as they provide just the bare minimum needed to get the job done.

You may feel better building a simple .net wrapper app around the ClientControl program to at least not leave the password in plain text (although if you use a tool like ProcessExplorer while it is running, you will see the password because it is passed in as a command line argument).

the HIPS service takes its own time stopping. We eventually just set an arbitrary time limit for the service to stop before applying the patch. Most of the time it works, but occasionally fails.

Don't get me started about them distributing patches using .msp format, but then don't include the ability to easily rollback that patch using msiexec. Its bad enough when we have to rollback their buggy patches (cough...HIPS 7 patch 3), but its REALLY annoying when their only mitigation path is to reinstall the ENTIRE HIPS program and then patch back up. Not excusable!
KHokie
Level 7
Report Inappropriate Content
Message 3 of 6

RE: Deploying HIPS - ClientControl.exe

Has anyone had any success having the McAfee Agent, HIPS 7 with Patches, and VirusScan 8.5 or 8.7 as part of an image so as soon as the user logs into a new workstation for the first time, they are immediately protected?

I've read about having the McAfee Agent installed and deleting a specifice GUID registry key, but wasn't aware about HIPS and VirusScan being part of an image.
Highlighted
bxs
Level 7
Report Inappropriate Content
Message 4 of 6

RE: Deploying HIPS - ClientControl.exe

Yes this is possible, but requires some custom development. Basically you just want to automate (msi) the installs of both CMA/HIPS and VSE and be sure they run when the machine is setting up for the first time. We include the fireprefs.txt (HIPS ruleset) with the install package so the machine has some rules immediately...and then after the ePO agent is setup and the ePO server is reachable it'll go out and grab the latest rules (and dat/engine/etc).

Re: RE: Deploying HIPS - ClientControl.exe

Where can we find a download of HIPS 7 clientcontrol.exe? I did not see it on the McAfee website. Any guidances would be greatly appreciated.

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: RE: Deploying HIPS - ClientControl.exe

willjones17 wrote:

Where can we find a download of HIPS 7 clientcontrol.exe? I did not see it on the McAfee website. Any guidances would be greatly appreciated.


You'll find it on the McAfee Download site where you supply your active Support grant number. 

http://www.mcafee.com/us/downloads/downloads.aspx

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community