cancel
Showing results for 
Search instead for 
Did you mean: 
gng4life
Level 7

Exception not working for Port Scan in ePO 4.0/HIPS 7.0

Hello All,

I am looing for help on a strange issue.  I have ePO 4.0 with HIPS 7 deployed, Network IPS is enabled also.  I made an exception rule for all UDP and TCP port scans.  Even with this exception, when I run a port scan, the scan is blocked and it fails everytime.  As soon as I disable Network IPS, it works again.  Obviously, this is the issue but why isn't the exception working?  Has anyone seen this before?  Any ideas what to do?

(I've rebooted all boxes, tried this on 5 different hosts, works when NIPS is disabled, fails when enabled, exception is saved for the group and hosts)

Thanks

0 Kudos
7 Replies
SamSwift
Level 12

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

moving this to the product community for HIPs....

Sam

0 Kudos
HupSkiDup
Level 11

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

you have an alert in epo showing exactly what the IPS blocked? (menu, reporting, host ips)

Find an example block in there and create an exception based on that, except remove some of the specifics of that exception so it applies to a broader group of machines.

Sorry if I'm way off track...

0 Kudos
gng4life
Level 7

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

The exception I built was based on the event.  It is not working so I know there is something else I'm missing.  Thanks for the advice anyway...

0 Kudos
McAfee Employee

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

IPS exceptions do not work for Network IPS signatures.  In order to create Network IPS signatures, you must add the IP address(es) to the Trusted Networks policy, and enable the option "Mark as Trusted for Network IPS".

KB66283 - Documentation Correction - Host Intrusion Prevention 7.0 Product Guides for ePO 3.6.1 & 4.0, Network IPS signature exception

0 Kudos
gng4life
Level 7

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

Okay, now that seems to make some sense.  Since I'm pretty sure the exception was built correctly and then it never allowed the scan, it seemed like something was missing.  I'll try this tomorrow and report back tomorrow night with my findings.

I did search an article like the one you posted but I never found it, thanks so much!

0 Kudos
bgable
Level 11

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

Network IPS exeptions will be fully supported in HIP 8.0 due out in late Q32010.

0 Kudos
gng4life
Level 7

Re: Exception not working for Port Scan in ePO 4.0/HIPS 7.0

Kary,

You are correct.  That worked and I should have known that but I just dwelling on the exception rule instead of Trusted Network.  Good call!!

Thanks again for the help and the KB reference, that helped a ton!

Take care...

0 Kudos