cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor brentil
Reliable Contributor
Report Inappropriate Content
Message 11 of 22

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

There's a nasty bug in the HIPS deployment on W8 systems.  We've found that when 8.0.0.2151 deploys to those machines it causes them to infinitely reboot and because there's no safe mode in W8 we have to format and redo the machines because they never talk back into ePO again.  What is strange is we didn't find this with our first wave of W8 test deployments so I'm thinking it might be related to the ePO 5.0 extension update as when we had the base one in place there was no issue but after adding it we started having these endless reboot scenarios.  I actually put a couple new W8 machines into their own group and started deploying everything one at a time testing each machine.  I left HIPS for last as I had a feeling it was it and as soon as it deploys the boot loops begin.  I think HIPS actually installs but it's the 791162 patch that causes the failure on install.  Maybe having
803520 active would prevent this but as we know from this thread it has its own issues.

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 12 of 22

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution
There's a nasty bug in the HIPS deployment on W8 systems.  We've found that when 8.0.0.2151 deploys to those machines it causes them to infinitely reboot


This reboot issue is caused by a conflict with HIPS 8.0 Patch 2 Host IPS module and Windows 8.  Hotfix 803520 resolves this issue.  The Host IPS module is disabled by default when you install HIPS 8.0, however, if your policy enables the Host IPS module BEFORE you apply HF803520, you'll get the reboot issue.

Solution for Windows 8:

1. Install HIPS 8.0 Patch 2 (8.0.0.2151) and leave Host IPS DISABLED.

2. Apply HF803520.

3. Reboot the system.

4. Then enable the Host IPS module by policy.

ePO tagging can be used to tag systems without the hotfix to assign a policy where the Host IPS module is disabled.  Once the hotfix is applied, a different ePO tag can be applied, assigning a new policy where the Host IPS module is ENABLED.

NOTE: Please remember that Windows 8 is not supported until Host IPS 8.0 Patch 3.

KB76650 - Host Intrusion Prevention 8.0 support for Microsoft Windows 8 and Windows Server 2012

KB77323 - Host Intrusion Prevention 8.0.0 Patch 2 Hotfix Rollup 803520 Release Notes

Message was edited by: ktankink - Spelling correction on 4/4/13 2:00:50 PM CDT

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

Thanks for the responses...the bad news is that this is Win 7 - not Win8 and keep getting the restart requests...it doesn't force me to reboot but HIPS can't get reinstalled and it's not showing in the system.  There are pieces that come back into place when I do a reinstall but no console.

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 14 of 22

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

That reboot issue might be due to a HIPS installation failure and your ePO deployment task.  If you ePO deployment task is setup to run frequently (At startup or Run at every policy enforcement), and HIPS fails to install, it prompts for a reboot.  System reboots, runs deployment task again, fails, reboots...rinse/repeat.

  • Check to make sure you're not running the HIPS installation too often (disable the Run at every policy enforcement option in the deployment task)
  • Check the C:\Windows\Temp\McAfeeLogs\McAfeeHIP8_Install_########.log file for failures.

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

Yep I discovered that a while back and no it's only running once a day.  Also as for the deployment task, since it's only my system I decided to just download the installer and apply directly...still an issue.

Thanks for the file path on the log in the temp folder...I'm not sure I've looked here before but will now!

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

Have you checked to see if the Reboot splash screen is not being deleted during the install process?  The file C:\Windows\McAfeeHIP_reboot is created during an upgrade or install.  It is supposed to get deleted, but sometimes it isn't so the user will receive the Reboot splash screen.  The user restarts the computer and the splash screen pops up again.  Deleting that file then running the client task again will end with a successful upgrade/install. 

We found this happening a lot when upgrading from HIPS 8 P1 to P2.  It's a pain, but pretty much inevitable on some hosts.  This is an issue that has been around for several years, and doesn't look to go away anytime soon.

We did see rare instances when, after deleting the file, we still had to reboot a host.  But, it was very rare.

Highlighted
bgable
Level 11
Report Inappropriate Content
Message 17 of 22

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

We have just released Hotfix 843301 which resolves this issue.

We are in the process of updating McAfee Knowledge Base article KB77809 with this updated information.

Reliable Contributor brentil
Reliable Contributor
Report Inappropriate Content
Message 18 of 22

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

I have tested Hotfix 843301 on several of our systems we had test deployed the previous update that was causing issues and the new hotfix is resolving the problems. 

cpcit
Level 9
Report Inappropriate Content
Message 19 of 22

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

We have tried to check in HF 843301 to ePO repository and keep getting the error "required package not found". I've downloaded the HF twice from the KB article.

Thanks.

bgable
Level 11
Report Inappropriate Content
Message 20 of 22

Re: HIPS 8 HF 803520 disables Windows Firewall

Jump to solution

Do not extract the package, check in the entire .zip package.  Also, you will need HIP 8.0 Patch 2 + HF803520 already checked into your repository branch before checking in HF843301.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community