Hi there. I'm trying to upgrade 3500 clients from HIPS 7 Patch 3, to Patch 5.
They have VSE, 8.7, ASE 8.7, CMA 4.0.
For any clean images, the combined HIPS 7 Patch 5 install runs fine.
For any images with HIPS 7 patch 3 NOT RUNNING IN SELF-PROTECT MODE, patch 5 upgrade installs fine.
For any images that are RUNNING IN SELF-PROTECT MODE, patch 5 fails with error code 1603.
Is there any way to install patch 5 overtop patch 3 without disabling Self-protect mode via the EPO server?
Solved! Go to Solution.
It is recommended to disable Host IPS protection prior to installing Patch 5 when you perform the task locally or via a 3rd party tool, if deployed via ePO you should not be required to disabled Host IPS protection.
Host IPS Client 7.0.0 Patch 5 updates only Host IPS Client 7.0.0. It does not update an earlier version.
Patch 5 is language independent and updates English and non-English systems. Host IPS 7.0.0 Patch 5
does not require a restart but may cause a brief interruption in network traffic.
To install using ePolicy Orchestrator, add the package to the ePolicy Orchestrator repository. The package
will show version ‘Win-5’. Deploy using an ePolicy Orchestrator agent Update task.
To install locally, run the patch installation application on the target system. To do this:
1. Disable Host IPS protection with an ePolicy Orchestrator delivered policy or in the local client UI.
2. Run McAfeeHIP_ClientPatch5.exe.
3. Enable Host IPS protection.
Advise if problems persist but it is also highly recommended that you raise this with your assigned support team.
Hope that helps.
Thanks...the problem is that not all 3500 of my clients connect regularly with the EPO server so turning off self-protect mode would only be about 80% effective and since a failed install will be visible to my clients, 20% of 3500 equals a lot of calls.
There is no way to install the patch locally, without disabling IPS?
i think the question should be...
how to disable self-protect mode without disabling IPS?
ive investigated down to rule 1001 and 1002 being the bulk of the blockage, but theres still something else that gets in the way, at least if you have VSE installed on the same machine.
Okay I've learned a few new things.
So... the default for locally installing HIPS is for IPS(self-protect mode) to be enabled.
My company's EPO policy is to disable it once the machines connect to EPO.
So NOW my question is, can I build into my local HIPS install to disable IPS right from installation time...to cover those machines that don't communicate with EPO?
As I recall from my old role, I can set a local policy in the CMA agent for this locally, but can I do it with the HIPS install?