cancel
Showing results for 
Search instead for 
Did you mean: 

HIP 8.0 Loses EPO Firewall ruleset?

Anyone see this issue, its been random so I am not really sure what starts it.

While working  on my test PC to build a 8.0 rulset I have Learn Mode enabled for outgoing only. (IPS enabled, Host and Network)  Every now and again the Firewall will ask for approval on programs I know I have set in the EPO rule set.  I open the HIP client and look at the firewall rules and all the rules enforced by EPO are gone.  If I open the agent and click enforce policy the rules will all be populated again and the popus will stop.  Also note when I do an enforce policy I do not need to be connected to the network where EPO server resides so the agent is able to pull them from it's policy cache.  Also I enforce policies on this system every 15 minutes so if I wait to till the policy auto enforces again the rules will come back as well.

Feels like a bug in the system but this has only happened about 7 times in the last month but it has happened on all 4 of my test boxes.  Plus I have two different EO HIP 8 polices, one internal PCs and one external, and the issue seems related to the client program and not the policy.  However I have not ruled out EPO or agents as a possible issue.  I have opened an issue with Mcafee but it is so random it is hard to actually show them this.

Enviroment:

Windows 7 SP1 x64 (fully patched for MS security updates)

HIP 8.0 Build: 1741

Security Content Version: 8.0.0.3900

EPO 4.6

Agent: 4.6.0.1694

9 Replies

Re: HIP 8.0 Loses EPO Firewall ruleset?

Ive also noticed that randomly HIPS will lose firewall rules between reboots. Its not all rules, just some.

Id love a client 'export' ruleset feature. It would allow me to back up my rules until the flakyness of this 8.0 release.

Otherwise its a good product.

Re: HIP 8.0 Loses EPO Firewall ruleset?

Happened again.

Im running Windows 7 Ultimate x64

Backup the following registry key  HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP\Config\Firewall\Rules this contains the local firewall ruleset.

For some reason the client detetcts the rules were there:

11/23/2011 22:09:06 pgpRegistry.cpp[131]    ERROR    (1640) RegDBGetKey2() - failed to open key "Software\McAfee\HIP\Config\Firewall\Rules\111". Error = 19.

11/23/2011 22:09:06 HpmRegistry.cpp[12055]    ERROR    (1640) saveFirewall() - failed to open/create registry key "Software\McAfee\HIP\Config\Firewall\Rules\111"

11/23/2011 22:09:06 HpmRegistry.cpp[6325]    ERROR    (1640) saveFirewall() - failed to create key for entity "Dynamically Created Via Learn Mode". The entity will be skipped and processing will continue

It looks like the FireSVC tried to write the firewall ruleset to registry, failed and on next reboot they were gone.

0 Kudos
smbober
Level 7

Re: HIP 8.0 Loses EPO Firewall ruleset?

I have a platinum case open regarding this issue.  Hopefully, we can get to the root cause of this.

0 Kudos
kink80
Level 12

Re: HIP 8.0 Loses EPO Firewall ruleset?

Did Platinum support ever solve this?

0 Kudos
protector
Level 9

Re: HIP 8.0 Loses EPO Firewall ruleset?

We are on HIPS 8 Patch 5 and this issue is occurring to us now.  Has anyone resolved this yet?

0 Kudos

Re: HIP 8.0 Loses EPO Firewall ruleset?

Another reboot, and ruleset lost again.

Very strange. I suggest backing up HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP\Config\Firewall\Rules

0 Kudos
smbober
Level 7

Re: HIP 8.0 Loses EPO Firewall ruleset?

We are seeing this in a big way too.  It seems to mainly be on XP running HIPS 8.  But, it could be just HIPS 8.  Is there anyone "in the know" that can shed some light on this?

0 Kudos

Re: HIP 8.0 Loses EPO Firewall ruleset?

Well I want to add:

Patch1 has seemed to reduce the amount this happens however it still does happen.  i never 100% lose the ruleset but always happens when I switch from either a wireless to wired network or back.  (WAN/LAN switching on HP laptops)  I have only Tested Windows 7 SP1 since Windows XP and HIP 8 is horrbily broken in my enviroment.  Basically HIP 8 installed on Windows XP SP3 will not connected to a wireless network 80% of the time.  It either cannot see any networks or cannot get IP address. This is even with the firewall installed but not turned on. All drivers for networking and PC up to date.  All patches for OS up to date.  (That is OT though, we are only deploying HIP 8 to Windows 7 computers)

0 Kudos
macca100
Level 7

Re: HIP 8.0 Loses EPO Firewall ruleset?

Has anyone managed to completely resolve this yet?

0 Kudos