I am looing for help on a strange issue. I have ePO 4.0 with HIPS 7 deployed, Network IPS is enabled also. I made an exception rule for all UDP and TCP port scans. Even with this exception, when I run a port scan, the scan is blocked and it fails everytime. As soon as I disable Network IPS, it works again. Obviously, this is the issue but why isn't the exception working? Has anyone seen this before? Any ideas what to do?
(I've rebooted all boxes, tried this on 5 different hosts, works when NIPS is disabled, fails when enabled, exception is saved for the group and hosts)
you have an alert in epo showing exactly what the IPS blocked? (menu, reporting, host ips)
Find an example block in there and create an exception based on that, except remove some of the specifics of that exception so it applies to a broader group of machines.
Sorry if I'm way off track...
The exception I built was based on the event. It is not working so I know there is something else I'm missing. Thanks for the advice anyway...
IPS exceptions do not work for Network IPS signatures. In order to create Network IPS signatures, you must add the IP address(es) to the Trusted Networks policy, and enable the option "Mark as Trusted for Network IPS".
KB66283 - Documentation Correction - Host Intrusion Prevention 7.0 Product Guides for ePO 3.6.1 & 4.0, Network IPS signature exception
Okay, now that seems to make some sense. Since I'm pretty sure the exception was built correctly and then it never allowed the scan, it seemed like something was missing. I'll try this tomorrow and report back tomorrow night with my findings.
I did search an article like the one you posted but I never found it, thanks so much!
You are correct. That worked and I should have known that but I just dwelling on the exception rule instead of Trusted Network. Good call!!
Thanks again for the help and the KB reference, that helped a ton!