Anyone see this issue, its been random so I am not really sure what starts it.
While working on my test PC to build a 8.0 rulset I have Learn Mode enabled for outgoing only. (IPS enabled, Host and Network) Every now and again the Firewall will ask for approval on programs I know I have set in the EPO rule set. I open the HIP client and look at the firewall rules and all the rules enforced by EPO are gone. If I open the agent and click enforce policy the rules will all be populated again and the popus will stop. Also note when I do an enforce policy I do not need to be connected to the network where EPO server resides so the agent is able to pull them from it's policy cache. Also I enforce policies on this system every 15 minutes so if I wait to till the policy auto enforces again the rules will come back as well.
Feels like a bug in the system but this has only happened about 7 times in the last month but it has happened on all 4 of my test boxes. Plus I have two different EO HIP 8 polices, one internal PCs and one external, and the issue seems related to the client program and not the policy. However I have not ruled out EPO or agents as a possible issue. I have opened an issue with Mcafee but it is so random it is hard to actually show them this.
Windows 7 SP1 x64 (fully patched for MS security updates)
HIP 8.0 Build: 1741
Security Content Version: 18.104.22.16800
Ive also noticed that randomly HIPS will lose firewall rules between reboots. Its not all rules, just some.
Id love a client 'export' ruleset feature. It would allow me to back up my rules until the flakyness of this 8.0 release.
Otherwise its a good product.
Im running Windows 7 Ultimate x64
Backup the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP\Config\Firewall\Rules this contains the local firewall ruleset.
For some reason the client detetcts the rules were there:
11/23/2011 22:09:06 pgpRegistry.cpp ERROR (1640) RegDBGetKey2() - failed to open key "Software\McAfee\HIP\Config\Firewall\Rules\111". Error = 19.
11/23/2011 22:09:06 HpmRegistry.cpp ERROR (1640) saveFirewall() - failed to open/create registry key "Software\McAfee\HIP\Config\Firewall\Rules\111"
11/23/2011 22:09:06 HpmRegistry.cpp ERROR (1640) saveFirewall() - failed to create key for entity "Dynamically Created Via Learn Mode". The entity will be skipped and processing will continue
It looks like the FireSVC tried to write the firewall ruleset to registry, failed and on next reboot they were gone.
We are seeing this in a big way too. It seems to mainly be on XP running HIPS 8. But, it could be just HIPS 8. Is there anyone "in the know" that can shed some light on this?
Well I want to add:
Patch1 has seemed to reduce the amount this happens however it still does happen. i never 100% lose the ruleset but always happens when I switch from either a wireless to wired network or back. (WAN/LAN switching on HP laptops) I have only Tested Windows 7 SP1 since Windows XP and HIP 8 is horrbily broken in my enviroment. Basically HIP 8 installed on Windows XP SP3 will not connected to a wireless network 80% of the time. It either cannot see any networks or cannot get IP address. This is even with the firewall installed but not turned on. All drivers for networking and PC up to date. All patches for OS up to date. (That is OT though, we are only deploying HIP 8 to Windows 7 computers)