cancel
Showing results for 
Search instead for 
Did you mean: 

Exception not working for Port Scan in ePO 4.0/HIPS 7.0

Hello All,

I am looing for help on a strange issue.  I have ePO 4.0 with HIPS 7 deployed, Network IPS is enabled also.  I made an exception rule for all UDP and TCP port scans.  Even with this exception, when I run a port scan, the scan is blocked and it fails everytime.  As soon as I disable Network IPS, it works again.  Obviously, this is the issue but why isn't the exception working?  Has anyone seen this before?  Any ideas what to do?

(I've rebooted all boxes, tried this on 5 different hosts, works when NIPS is disabled, fails when enabled, exception is saved for the group and hosts)

Thanks

7 Replies

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

moving this to the product community for HIPs....

Sam

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

you have an alert in epo showing exactly what the IPS blocked? (menu, reporting, host ips)

Find an example block in there and create an exception based on that, except remove some of the specifics of that exception so it applies to a broader group of machines.

Sorry if I'm way off track...

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

The exception I built was based on the event.  It is not working so I know there is something else I'm missing.  Thanks for the advice anyway...

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 5 of 8

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

IPS exceptions do not work for Network IPS signatures.  In order to create Network IPS signatures, you must add the IP address(es) to the Trusted Networks policy, and enable the option "Mark as Trusted for Network IPS".

KB66283 - Documentation Correction - Host Intrusion Prevention 7.0 Product Guides for ePO 3.6.1 & 4.0, Network IPS signature exception

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

Okay, now that seems to make some sense.  Since I'm pretty sure the exception was built correctly and then it never allowed the scan, it seemed like something was missing.  I'll try this tomorrow and report back tomorrow night with my findings.

I did search an article like the one you posted but I never found it, thanks so much!

Highlighted
bgable
Level 11
Report Inappropriate Content
Message 7 of 8

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

Network IPS exeptions will be fully supported in HIP 8.0 due out in late Q32010.

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

Kary,

You are correct.  That worked and I should have known that but I just dwelling on the exception rule instead of Trusted Network.  Good call!!

Thanks again for the help and the KB reference, that helped a ton!

Take care...

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.