I need to be able to find the location on the client machine where the configuration data is stored that tells the Firewall to run in Learn Mode or not. I've looked in the registry and at the files in Program files and C:\Documents and Settings\All Users\Application Data pertaining to Mcafee and can't find a readable file that contains the startup data for the firewall (HIPS) service. Anyone know where this data is located on the client machine and can share with me?
The data is kept in the file, firenetprefs.txt. It won't matter that you know the name of the file, it's not readable. That file is encoded and if you change it, HIP will think it's corrupted and replace it with a backup copy.
I'm in a pretty large environment, and we use another product (from CA) to inventory our software and settings on our workstations. Our CA people are wanting to be able to determine the LearnMode setting via that capability. Since the data is encoded, we won't be able to do it. However, in meantime, we've determined that we can report these settings via a direct SQL query of our EPO databases.
What's happened is that we are currently deploying in Adaptive Mode, and occasionally that file must be getting corrupted and being placed in default mode. In default mode, it is interfering with our CA products and we are trying to be proactive in finding those machines and getting them back into regular mode.
I thought that I was right about the firenetprefs file, but it is good to get confirmation.
server.xml and compiled.xml should have already been recreated. If you look in the directory you will see the corrupt xml files and the newly created xml files. The only thing that doesn't get recreated is the firenetprefs.txt. If you delete it, it will pull the new policies.
If you want peace of mind you can delete the corrupt files.
If the server and compiled XML's don't need to be deleted, why would McAfee create a KB article telling you to do that. Wouldn't you think that if it wasnt' necessary they wouldn't put it in the article?
BTW, once you get corrupted, you'll keep getting corrupted due to the fact that if CMA performs 2 ASCI's within 1 minute, the second ASCI will be ask for an incremental policy. HIP requires a full policy with every ASCI. If HIP receives an incremental policy, it will lose all it's firewall rules and quarantine the system. The only way to recover from that is to boot into safe mode disable the firesvc. SeaWalker has been lucky enough that HIP sees empty firenetprefs and replaces it with the backup, fireknownprefs.txt.
If you doubt the KB article's instructions, open a support ticket with McAfee.