I have a couple of issues after recently installing HIPS 8.
I installed the HIPS 8 extension in to my ePO 4.5 server, ran the policy migration wizard but I have various issues:
When looking at the HIPS Console there is no sign of the HIPS 8 clients I have installed, the client and content version fields are blank
None of my custom signatures created originally under HIPS 7 work, for example I have a custom signature that monitors changes to the Hosts files, on a HIPS 8 client with the original HIPS 7 migrated to HIPS 8 policies applied when making changes to trigger the signature nothing is sent, the Agent events folder doesn't receive the alert and of course nothing is passed to the ePO server.
If I perform a double extension test then this bit works fine. (Shows alert in Threat Event Log of course, not in Host IPS 8.0)
I also tried to remove the HIPS 7 extensions but this then gave me errors in the HIPS console stating "This query cannot be displayed because it is in an invalid state"
I have a call logged, I can't run MER or present any of the logs etc for security reasons.
Anyone else had these issues or have any ideas?
StefMessage was edited by: StefanT on 11/05/11 14:44:05 IST
I can't help for the custom signatures...
I'm assuming by "HIPS Console" you mean that you have some queries or a dashboard on EPO that shows your HIP versions?
If so, and you have a HIP query that is based on "Client Version", you need to either:
Let me know if this helps or if I misread your question.
Thanks for the reply, yes you guessed right, I meant the Hips Dashboard.
I've tried your suggestion, if I modify the query to look at Product version, I can see 8 but then 7 is not listed.
Surely with the HIPS 8 extensions added there should be no need to modify anything? Otherwise every HIP query needs modifying such as services running etc..............................
To be more specific, when you are making HIP queries based on "Managed Systems" when you have both the 7.x and 8.x extensions checked in, there are 3 categories you can choose from:
If you choose any of the properties from category 2 or 3, it will only show results from systems with either 7 or 8 installed, not both. If you want a query that shows both HIP 7 and 8 clients, you have to choose a property from the first category (Host Intrusion Prevention Properties):
A query based on this will show machines with both 7 and 8:
And yes, unfortunately for all your other queries, you will have to make seperate queries for them. I have no idea why they made it that way, because it makes it a lot more complicated.
Thanks for that, it does indeed allow me to see both versions.
I still have a few gaping holes though as it still leaves the HIPS dashboards pretty unusable as they are, there is still no way (that I can see) to show content versions for both clients, service status etc for both clients in a shared chart.
Some of my other issues relating to custom signatures not working is down to the fact that:
A) HIPS 7 to 8 policy migration randomly adds wildcard characters to the new new file paths (apparently my fault as they were incorrect to start with but strangely they all worked on 7!)
B) HIPS 8 doesn't support some of the older 7 formats, full paths now required for executables, registry paths have changed, some wildcard values appear not to work etc
So all in all a very dis-jointed product when it comes to running both HIPS 7 and HIPS 8 on the same ePO system.