cancel
Showing results for 
Search instead for 
Did you mean: 
gazzanet
Level 7

HIPS 7.0 Questions about agent working

Hi, I' am new to this technolgy but I have a question about HIPS 7.0

If  a critical vulnerability is covered by a Microsoft fix, and this fix is installed in the client, can the agent read the list of all fix installed on this client?

I have an event triggered on ePO console regarding to a vulnerability, but the relative patch is installed on the client.

So my question is:

why the event was triggered even if the security patch was installed? And, if possible, I would like to know a few more details on how the triggering of the signature works.

Thanks in advance

Messaggio modificato da gazzanet on 11/02/11 6.04.07 CST
0 Kudos
3 Replies
McAfee Employee

Re: HIPS 7.0 Questions about agent working

If  a critical vulnerability is covered by a Microsoft fix, and this fix is installed in the client, can the agent read the list of all fix installed on this client?


No, Host IPS does not detect if a Microsoft hotfix/patch is applied to disable a particular Signature.  Please submit a PER for this.

So my question is:

why the event was triggered even if the security patch was installed? And, if possible, I would like to know a few more details on how the triggering of the signature works.

Depending on the signature, it can still be violated even if the vulnerability is closed.  KB70810 is a good example of this.  Signature 3776 monitors for a specific ActiveX control being used (the control was used for an older vulnerability).  If the vulnerability is closed, the signature will still violate if it finds the ActiveX control being used.

0 Kudos
suhayl
Level 7

Re: HIPS 7.0 Questions about agent working

@ Karry,

If the MS10-090 patch is applied and the Sign 3776 disabled, will it still trigger the event?

Thanks

Suhayl

0 Kudos
McAfee Employee

Re: HIPS 7.0 Questions about agent working

If a Host IPS signature is Disabled, the signature will not trigger.

0 Kudos