Showing results for 
Search instead for 
Did you mean: 
Level 9

HIPS 7 Patch 6 is out now

McAfee® Host Intrusion Prevention Version 7.0.0 Patch 6 Release Notes
Patch Version


Host IPS Client 7.0.0 for Windows
Release Date

October 22, 2009

Recommended: McAfee recommends this release for all environments. This update should be applied at the earliest convenience.
About Release

Refer to online knowledgebase article KB67041 for the most current Host IPS 7.0 Patch 6 client details.

Host IPS 7.0.4 extension for ePolicy Orchestrator is required for correct policy management of clients running Microsoft Windows 7. The extension also corrects reports and dashboard views from ePO 4.0 for Host IPS clients running 7.0 Patch 5 or later. Refer to online knowledgebase article KB65977 for the most current Host IPS 7.0.4 extension details.
Files affected

The following binaries are version 1070















[INSTALLDIR]\Inf\NdisInstall.exe (32-bit or 64-bit)







[WINDOWS]\System32\Drivers\FirePM.sys (32-bit or 64-bit)

[WINDOWS]\System32\Drivers\FireTdi.sys (32-bit or 64-bit)

[WINDOWS]\System32\Drivers\FireLM01.sys (32-bit or 64-bit)

The following binaries are version

The following binary is version 955
[WINDOWS]\System32\Drivers\FireHk.sys (32-bit or 64-bit)

The HIPSCore related binaries are version



The SysCore related binaries are version


New Resolved Issues

Issue: System failure caused by mfehidk.sys. (Reference: 483723)

Resolution: A race condition within the driver permitted one thread to destroy event data while another thread tried to use it to evaluate policy. Driver semantics have been revised to ensure there is no thread to destroy event data while another thread tires to use it.

Issue: HIPSCore fails to start when Altiris SVS Client is installed. (Reference: 487654)

Resolution: With some file virtualization drivers, Host IPS would fail to identify the actual volume on which a redirected file resided, causing the HIPSCore service to fail. Host IPS can now recognize more types of file virtualization and locate the correct volume.

Issue: Incoming traffic from localhost ( to a local IP address required rules to allow the inbound traffic. (Reference: 493191)

Resolution: The rule matching logic has been updated to allow inbound traffic from localhost unconditionally.

Issue: Excessive loopback traffic in the activity log. (Reference: 509562)

Resolution: Change in the behavior of the firewall regarding traffic from localhost logged excessive loopback traffic. Logging of loopback traffic is now disabled by default, although users can enable this logging by adding a new DWORD registry key value (dwReportLoopback) to HKLM\Software\McAfee\HIP, and setting the value to 1. Refer to online knowledgebase article KB67040 for the most current details.

Issue: McAfee’s implementation of NHC_EndpointSecure API causes an exception when called by Juniper Networks Host Checker. (Reference: 506571)

Resolution: A timing issue caused some library functions to be executed before being initialized, which resulted in an exception. Logic has been implemented to ensure that all library functions are properly initialized before executing.

Issue: Some traffic is blocked even with the firewall and network IPS disabled. (Reference: 503135)

Resolution: Certain non-IP traffic was blocked by a pre-filter mechanism, regardless of Firewall or IPS settings. This pre-filter mechanism has been corrected and now allows all packet traffic to pass through the network interface when the firewall and network IPS are disabled.

Issue: IPS Exceptions are failing after applying Host IPS 7.0 Patch 4. (Reference: 496911)

Resolution: Some rule exceptions were not taking effect, which imposed stricter enforcement than the policy intended. Host IPS has been updated to recognize the standard Security Identifiers for "Network Service" and "Local Service" and to allow any corresponding exceptions.

Issue: Enforcing a Connection Aware Group with the ePO Server Reachable option enabled caused mcafeefire.exe to fail. (Reference: 511980, 429630)

Resolution: On Microsoft Windows 2000 and Vista, the DNS Query to resolve the ePolicy Orchestrator server IP address generated traffic that needed firewall rule matching while a lock was being held, which caused a deadlock. This DNS Query is now performed before acquiring the lock, removing the chance of deadlock.

Issue: Intel eBios compiler latency with Host IPS services running on the system. (Reference: 443978)

Resolution: Process launch overhead has been reduced for processes that are excluded from monitoring.

Issue: UI password containing both numbers and characters fails to unlock the UI on Traditional Chinese platform. (Reference: 487988)

Resolution: The Unicode conversion was not performed properly, causing the password not to match. This has been corrected.

Issue: Java Control Panel fails while viewing "Java Application Runtime Settings." (Reference: 502339)

Resolution: The violation of Microsoft's prohibition on synchronization within DllMain has been fixed.

Issue: Non-standard loopback addresses are not treated the same as (Reference: 511973)

Resolution: Previously, the rule matching logic would only match localhost if the IP address was exactly However, according to the RFC, any IP address that starts with 127 should be considered localhost. Host IPS now conforms to the RFC, and any address that starts with 127 is treated as localhost.

Issue: VPN on Windows Vista SP1 failed to connect to Windows RRAS servers because unrecognized TDI requests for RAW IP were being blocked. (Reference: 483889)

Resolution: Host IPS no longer blocks these TDI requests for RAW IP and allows the VPN connection to RRAS servers.

Issue: Client properties in ePO showed SqlProtection as unprotected for systems running 64-bit SQL server, even when SQL protection was enabled. (Reference: 487599)

Resolution: The correct version of the Helper application for the 32-bit or 64-bit platform architecture and SQL server processes now executes.

Issue: Installation of the Host IPS 7.0 client fails if a McAfee NDIS Intermediate Filter Driver was only partially installed. (Reference: 519789)

Resolution: The Host IPS 7.0 client installer has been updated to detect an incomplete installation of a McAfee NDIS Intermediate Filter Driver, and, when it finds this, it reinstalls the driver and completes the installation.
0 Kudos
14 Replies
Level 9

RE: HIPS 7 Patch 6 is out now

Previously Resolved Issues

Issue: The Registry Value, dwAllowOtherNonIP, reverts to 0 after installing HIP 7.0 Client Patch 3 on systems managed by ePolicy Orchestrator 3.6. (Reference: 463744)

Resolution: Added a new Registry Value, dwAllowOtherNonIP_Client, which can be used to override the settings in dwAllowOtherNonIP. The dwAllowOtherNonIP Registry Value continues to be managed by policy, and is used by the client if dwAllowOtherNonIP_Client does not exist.

Issue: The McAfee Host Intrusion Prevention tray icon displays “Driver not installed”. (Reference: 456937)

Resolution: A delay during service startup could cause this message to be displayed inappropriately. Internal timeouts have been increased to allow for a delay during service startup.

Issue: The mfevtps.exe process uses excessive memory and slows down the Windows logon process. (Reference: 458438)

Resolution: mfevtps.exe was unnecessarily verifying certificates, which consumed extra memory and time. This unneeded verification has been removed.

Issue: Abnormally small IP fragments are blocked when Host IPS 7.0 is installed. (Reference: 468725)

Resolution: Host IPS 7.0 was strictly enforcing the RFC-791 Internet Protocol specification and automatically blocking any IP fragments that were too small, with the exception of the last fragment in the chain. This IP fragment size enforcement has been removed, allowing delivery of noncompliant IP fragments.

Issue: A fingerprint-only firewall rule incorrectly matches and blocks unassociated network traffic. (Reference: 466384)

Resolution: Issues with the firewall rule-matching logic have been resolved.

Issue: Returning packets of outgoing traffic were blocked as incoming traffic. (Reference: 476116)

Resolution: Returning packets of outgoing traffic are no longer blocked.

Issue: Incomplete information for the system process caused invalid matching of firewall rules that showed ports 139 and 445 open. (Reference: 471871)

Resolution: Process-related information was missing for the system process. This was resolved by adding a computation for the system process.

Issue: Heavy non-paged memory usage with the MFel tag on a Windows 2003 Exchange Server. (Reference: 446639)

Resolution: The code to monitor Microsoft's vulnerability CVE-2005-0560 was removed because Microsoft had already patched it.

Issue: Memory leak in MFe0 tag on multi-processor systems. (Reference: 468002)

Resolution: A large number of reference objects were being created per process. This was optimized to decrease the non-page memory usage.

Issue: Security Audit Failure (Event 577) appears in the Windows Security log after applying Host IPS 7.0 patch 3. (Reference: 451939)

Resolution: False audit events are now prevented.

Issue: FireSvc.exe generated an unhandled exception after Host IPS 7.0 Patch 4 was installed. (Reference: 482498)

Resolution: A race condition existed between the FireSvc.exe worker thread and a temporary thread to set the firewall state in the Windows Security Center. The communication mechanism for Windows Security Center has been re-designed to remove the race condition.

Issue: The Host IPS 7.0 Client Firewall on Windows Vista SP1 appeared as disabled in the Windows Security Center. (Reference: 476379)

Resolution: The Host IPS communication mechanism with Windows Security Center has been re-designed to support Vista SP1 and later.

Issue: HIPSCore service does not start when running on Windows XP with a dynamic disk. (Reference: 446938)

Resolution: The VTP driver failed to verify the presence of content drivers on dynamic disks. VTP driver verification now works correctly.

Issue: Unrecognized non-IP traffic is not logged. (Reference: 450277)

Resolution: Added logging for unrecognizable non-IP traffic. Both recognized and unrecognized non-IP traffic is now logged.

Issue: Rule match is not made when using both Path and File section in Program class rule. (Reference: 362850)

Resolution: The Microsoft Vista path mechanism was using a drive prefix that was not consistent with the non-Vista mechanism, which stripped the drive prefix. The drive prefix is explicitly stripped on Vista to be consistent.

Issue: Connection Aware Group matching fails when the incoming traffic destination is localhost. (Reference: 439529)

Resolution: Fixed matching logic of Connection Aware Groups to identify incoming traffic correctly to localhost.

Issue: System failure on Windows XP or Vista when third party VPN drivers are loaded. (Reference: 430885)

Resolution: System instability was caused by excessive kernel stack usage when third party VPN drivers were loaded. A mechanism was introduced to switch to a new kernel stack if the current stack is full.

Issue: Firewall rules in a Connection Aware Group are displayed incorrectly on machines that were upgraded from Host IPS 6.x. (Reference: 388808)

Resolution: The client user interface was using an obsolete Host IPS 6.x feature, which is no longer supported in Host IPS 7.0. This feature has been removed.

Issue: Memory corruption in mfehidk.sys causes a system failure. (Reference: 458263)

Resolution: The operating system was releasing the process before it was finished, which lead to memory corruption. The process reference count has now been incremented to prevent the operating system from releasing the process prematurely.

Issue: RDP timeouts to XP SP2 hosted on ESX. (Reference: 445496)

Resolution: Introduced a new internal API to check write-protected memory address instead of using an existing Windows API, which may trigger unnecessary exceptions.

Issue: System failure caused by Generic Buffer Overflow Protection. (Reference: 455085)

Resolution: Introduced a new internal API to check write-protected memory address instead of using an existing Windows API, which may trigger unnecessary exceptions.

Issue: Excessive IPv4 packet fragmentation causes a loss of network connectivity on high availability servers or domain controllers. (Reference: 391144)

Resolution: Large amounts of fragmented packets could exhaust the memory pool. A cleanup mechanism was introduced to recover the memory pool consumed by incomplete packets.

Issue: The FireSvc.exe process could unexpectedly fail because of errors that occurred when managing internal data structures. (Reference: 394265, 394280, 402984, 415656, 370708)

Resolution: All client rule processing and data access handling has been reviewed and optimized.

Issue: A potential race condition caused instability for HIPSvc.exe during process injection. (Reference: 405518)

Resolution: The process injection code has been optimized to prevent instability.

Issue: IPv4 packet fragmentation could cause the client system to fail. (Reference: 399599)

Resolution: The IPv4 fragmentation algorithm was reworked to fix faulty logic in segmented frame handling.

Issue: IIS protection was not enabled if the Host Intrusion Prevention client was installed before IIS 6.0 was installed. (Reference: 332506)

Resolution: The isapi.dll filter that handles IIS protection is now properly loaded after IIS is installed and started.

Issue: Client system was unable to authenticate to a domain controller when the lsass.exe process failed. (Reference: 396495, 393785)

Resolution: Core process injection stability enhancements were made to prevent the failure.

Issue: Tivoli does not function when using Check Point VPN-1 Client when Connection Aware Group firewall rules are applied. (Reference: 425392)

Resolution: Connection Aware Group matching failed with inbound traffic with some IPSec VPNs. The Connection Aware Group matching logic was extended to handle IPSec VPN re-routing of inbound traffic to the physical adapter’s NDIS miniport instance.

Issue: Unable to connect to HTTPS server when a client is connected with T3G wireless network connection. (Reference: 414155)

Resolution: Unsolicited inbound traffic was not being matched by the Connection Aware Group. The Host IPS Firewall will now use the IP address, instead of the MAC address, when matching traffic for Connection Aware Groups.

Issue: The Host IPS client does not block all SQL injections on a single IIS 6 server hosting multiple sites. (Reference: 419431)

Resolution: The ISAPI filter stub tracked the engine status using a single value even when multiple instances of the stub were loaded. Each ISAPI filter stub instance now tracks its respective engine status.

Issue: System stops responding or ‘hangs’ at shutdown due to incompatibility with NetMotion VPN. (Reference: 426645)

Resolution: In certain circumstances, a specific Windows API used during shutdown caused the system to stop responding. This API is no longer used during shutdown.

Issue: TCP traffic is blocked when firewall rules use short path names. (Reference: 414249)

Resolution: The firewall drivers, which failed to convert a short path name to a long form, now obtain a long form of a short path name before matching the rules.

Issue: System fails when launching Alerton Envision for BACtalk. (Reference: 390326)

Resolution: The FireHk driver that was called used an incorrect user-defined field, which caused system instability. The FireHk driver now uses the correct user-defined field.

Issue: Veritas NetBackup v6.0 backups fail when Host IPS 7.0 is installed. (Reference: 388382, 390848)

Resolution: An internal memory pool became exhausted during NetBackup operations, which caused the backups to fail. The internal memory pool is now dynamically allocated to provide additional resources.
0 Kudos
Level 9

RE: HIPS 7 Patch 6 is out now

Issue: The Host IPS firewall may block communication between the client and ePolicy Orchestrator when the firewall receives a corrupt or incomplete policy. (Reference: 400824)

Resolution: ePolicy Orchestrator Agent 3.6, Hotfix 9 or later provides a method to ensure that the ePolicy Orchestrator Agent and the ePolicy Orchestrator server maintain communication when the Host IPS firewall is active. This hotfix provides to the Host IPS 7.0 client the DNS name, IP address, and communication port of the managing ePolicy Orchestrator server. The Host IPS client uses this information to generate specific firewall rules that allow inbound and outbound communication between the client and the ePolicy Orchestrator server.

Issue: The Host IPS firewall blocks Cisco VT Advantage traffic. (Reference: 391415, 391418)

Resolution: The Host IPS firewall now recognizes the Cisco Discovery Protocol (CDP) and no longer blocks the traffic. Additionally, the Host IPS 7.0 firewall no longer blocks unrecognized protocols when the firewall is disabled.

Issue: The Windows logon screen does not appear at system startup. (Reference: 397270)

Resolution: A circular dependency was created between the Host IPS service and Lsass.exe when the Host IPS service attempted to update Windows Security Center. The circular dependency caused a deadlock which prevented the system from completing its initialization. The circular dependency has been removed.

Issue: Establishing a VPN connection to a Windows 2003 RAS server triggers signature 3723. (Reference: 387470)

Resolution: Signature 3723 was triggered when the request packet length of the Point-to-Point Tunneling Protocol (PPTP) connection did not match the expected size. The signature has been modified to accommodate this usage.

Issue: The Host IPS client periodically drops network connections. (Reference: 401561)

Resolution: The receive buffer on the client exhausted its available resources. The memory is now dynamically allocated and provides for additional resources.

Issue: Svchost.exe fails during upgrade from Host IPS 6.1 to Host IPS 7.0. (Reference: 396792)

Resolution: A call in the Microsoft NDIS driver returns an incorrect buffer value, which leads to system instability. A workaround was created to obtain the correct information.

Issue: FireSvc.exe and HIPSvc.exe exhibit high CPU usage. (Reference: 393045)

Resolution: A third party management application failed to enumerate software keys because an incorrect value was being reported. The value reported when software keys are enumerated is now the correct value.

Issue: A system becomes unstable and restarts after running Microsoft Update. (Reference: 404409)

Resolution: System instability during upgrades was caused by the return of an incorrect number of arguments during certain operations. The correct number of arguments is now returned during an upgrade.

Issue: The Host IPS client leaves open sockets after it blocks a URL. (Reference: 395453)

Resolution: The ISAPI filter on Windows 2003 Server IIS 6.0 caused the browser to wait for a response and the port remained in the ESTABLISHED state. This has been resolved.

Issue: Host IPS firewall and application blocking failed to retrieve the correct paths of applications in NTFS mounted folders. (Reference: 410240)

Resolution: Path-retrieving logic for firewall and application blocking has been extended to support NTFS mounted folders.

Issue: FireSvc.exe processes stop running. (Reference: 406133, 394265)

Resolution: The Host IPS client might stop because of an error managing an internal firewall rule structure. The read buffer overflow has been fixed to prevent this.

Issue: Svchost.exe process fails. (Reference: 387423, 390536)

Resolution: This condition was most commonly observed with network functions such as Active Directory authentication, remote desktop logins, or accessing network shares. Synchronization methods were added to resolve conditions that caused the issues.

Issue: Host IPS client on a system running a Netstructure VPN client is unable to receive a DHCP IP address. (Reference: 358904)

Resolution: The NDIS driver, which was not relaying certain per packet context information to the miniport drivers, now correctly relays the information to the lower drivers.

Issue: System failures occur periodically on systems running Microsoft IIS web server. (Reference: 371434)

Resolution: The Host IPS ISAPI engine, which was not handling some instances of malformed queries correctly, was modified to deal with the queries that caused the system instability.

Issue: FireTray race conditions can trigger access violation exceptions. (Reference: 385561)

Resolution: Related critical section synchronizations were reorganized to remove the race condition.

Issue: The About boxes for the Host IPS client and the ePolicy Orchestrator agent do not report the same Host IPS build number. (Reference: 347352)

Resolution: The Host IPS client build number changed each time a patch or hotfix was applied. The same version number will now be reported after a system restart.

Issue: VPN connections are slowed with some wireless 3G network cards. (Reference: 372089)

Resolution: The McAfee NDIS driver would not accept incorrectly sized or malformed packets, which caused the send packet pool to become depleted. The pool size and maximum packet size values have been increased to handle the error conditions.

Issue: Using ‘*’ as a wildcard in the file name of an Application Blocking rule only works correctly at the beginning of an application name. (Reference: 347342)

Resolution: The ‘*’ wildcard now works correctly in any position in the file name of an Application Blocking rule.

Issue: Patched Host IPS 6.1 clients upgraded to Host IPS 7.0 incorrectly report a Patch level (Reference: 387440)

Resolution: The Host IPS 7.0 client installer did not remove the Patch value when upgrading from Host IPS 6.1 to Host IPS 7.0. The installer now sets the correct Patch value.

Issue: FirePM needs more granular tagging for memory allocations. (Reference: 387600)

Resolution: FirePM now uses different Pgm* memory tags for each memory allocation. (Doc ID# 4709586)

Issue: The size of the Host IPS client Activity Log is not adjustable. (Reference: 387608)

Resolution: You can adjust the Activity Log size by adding the DWORD registry key value (dwMaxEventLogSize) to HKLM\Software\McAfee\HIP. Set a decimal value where the value represents the Activity Log Size in bytes. (Doc ID# 614786)

Host IPS Client 7.0.0 Patch 6 updates only Host IPS Client 7.0.0. It does not update an earlier version. Patch 6 is language independent and updates English and non-English systems. Host IPS 7.0.0 Patch 6 does not require a restart but may cause a brief interruption in network traffic.

To install using ePolicy Orchestrator, add the package to the ePolicy Orchestrator repository. The package will show version ‘Win-6.0.1’. Deploy using an ePolicy Orchestrator agent Update task.

To install locally, run the patch installation application on the target system. To do this:

1. Disable Host IPS protection with an ePolicy Orchestrator delivered policy or in the local client UI.

2. Run McAfeeHIP_ClientPatch6.exe.

3. Enable Host IPS protection.
Version Reporting

Host IPS 7.0.0 Patch 6 clients report Patch – 6.0.1, Hotfix – 6.0.1, and Code Version – in the ePolicy Orchestrator Properties tab for Host Intrusion Prevention 7.0.0.

With ePolicy Orchestrator 3.6 you can use the Product Protection Summary report to determine which clients received Patch 6. Patch 6 clients will report product version 7.0.0.x..6.0.1.

With ePolicy Orchestrator 4.0 you can write a query and search for the Host IPS Plug-in Version. Patch 6 clients will report product version
Known Issues

Issue: Because of internal changes in the operating system, the Application Hooking component of Application Blocking is not supported on Windows 7 at this time.

Workaround: Refer to online knowledgebase article KB65844 for the most current Windows 7 details.

Issue: User/process-specific exceptions do not allow stopping the Host IPS services (FireSvc.exe and HipSvc.exe). (Reference: 371417)

Workaround: Create an exception for all users/processes to stop FireSvc.exe and HipSvc.exe, or disable Signature 1000.

Issue: Loss of network connectivity during Host Intrusion Prevention installation.

Workaround: Refer to online knowledgebase article KB59945 for the most current details.

© 2009 McAfee, Inc. All Rights Reserved.
0 Kudos
Level 7

RE: HIPS 7 Patch 6 is out now

Is there anyone that can tell me if it is possible to test this Patch 6 on a few clients only ?

The release notes tell me the client will update if there is an update task in place, and I do not see any option to select or deselect any HIPS patches or anything.

Also looking at I am a bit weary...


Marcel. grin
0 Kudos
Level 11

Re: RE: HIPS 7 Patch 6 is out now

You can do a manual install on any machine, EPO will still manage it fine and shouldn't downgrade it, rules should stay, etc...

Assuming 7.04 extensions is checked in..

0 Kudos
Level 7

Re: RE: HIPS 7 Patch 6 is out now

you can achieve this by checking Patch 6 into the ePO server, then creating a new site in the directory and move any clients that you want to update into there. Once you have done this, create a new client update task on that site ONLY, and in the schedule include HIPS patches and product updates. NOTE: the reason why you wouldnt see it before is that if you have not previously checked in any patches or updates for a particular product then it will not show in the update choices. Only when a product/update is checked in will it show on the update "products" list.

We use this method of seperating update tasks to UAT DAT files / patches / engines before they are fully deployed, and it works well if done correctly.

0 Kudos
Level 12

Re: RE: HIPS 7 Patch 6 is out now

Look into the use of the "Evaluation" branch in EPO.

0 Kudos
Level 7

Re: RE: HIPS 7 Patch 6 is out now

We tried the "EVAL" version by pushing it out through the ePO client task but it doesn't update to patch 6. We tried to do the manual install but the .exe file didn't run (according to the release notes manual install instructions). I was told that if we change the version to "CURRENT" that all the devices will get that update automatically.

0 Kudos
Level 11

Re: RE: HIPS 7 Patch 6 is out now

BTW - HIP 7 Patch 7 posted on March 4, 2010.

0 Kudos
Level 9

Unable to upgrade HIPS 7.0 to HIPS 7.1

I am having problems upgrading from HIPS 7.0 to HIPS 7.1. I don't need to uninstall HIPS 7.0 first correct? My client task is unable to install HIPS 7.1 and then reinstalls 7.0 (HOSTIPS_7000).

Current load:

Benchmark Editor Multi-platform Scan Engine 5.2.0, McAfee Agent, Host Intrusion Prevention, Product Coverage Reports, Policy Auditor Agent 5.2.0, VirusScan Enterprise

I have a default task that installs / checks for the above except for HIPS. I then have a separate task that should install HIPS 7.1.

Info me if I should post this in another location.


0 Kudos