in case you have no workaround in place yet, here's ours (I assume that you have only Win7 workstations).
Though this procedure disables HIPS module, it leaves Firewall module intact. So, this lowers the workstation's protection somewhat, but keeps it usable:
1. Seek to "C:\Program Files\McAfee\HostIntrusion Prevention" and launch McAfeeFire.exe.
2. Select Task -> Unlock User Interface -> type your specific pwd (there ought to be one).
3. Click to clear check-boxes "Enable Host IPS" and "Enable Network IPS".
4. Click Apply and minimize "McAfee Host IntrusionPrevention" window.
5. Click Windows start-button, right-click on Computer and select Manage.
6. In the Computer Management window, on the tree-view,expand "Services and Applications" and select "Services".
7. Scroll down to find McAfee Host Intrusion Prevention Service, double-click on it to open its properties.
8. On General tab, from "Startup type" drop-down list, select "Disabled", and click Apply.
9. Reboot your computer. Symptoms should no longer appear.
Got the same problem here just on Windows 7 devices. With high CPU while using Wireless etc
We too got the patch from tech support. Deployed using ePO. after the patch installed the reported version was 22.214.171.1248 which ties up. Seemed all was ok to start with, but then the high CPU usage for Firesrv.exe started again. We could get it to happen all the time by disconnecting from the corporate network and connecting to a new network.
Windows 7 network selection screen appears and bang firesrv.exe at 100% Vagain.. so for us the patch has not cured anything.
Are you guys still having the issue ? I disabled FW and HIPS from ePO until support could look at these machines. Today when I enable policy on some test machine, the issue will not appear again (go figure). Support wanted some proc and memory dumps.
Same for us, we received the patch from our local support and tested it on the Seven 64 taht has the trouble.
No change around the CPU trouble. Still at 30% with the Patch 2. If we purge the Hips and then reinstall it in Patch 1 version, no trouble at all
So the hotfix doesn't correct this trouble.
Does anybody have an (open) case regarding this ? (feel free to PM me the SR number and I'll try to reference them in mine)
@McAfee: Is there a reference to this issue please ? Then we can dig further and resolve this asap.
I don't suppose anybody has some MER logs laying around before/after the install of the Hotfix ? 🙂
we've got an solution to (at least) our problem: for a reason not to mention here, we had Adaptive Mode at enabled state for both HIPS and Firewall. After disabling these, absolutely no symptoms were to notice anymore.
So, our fix was, that we first disabled Adaptive Modes from ePO, enabled McAfee HIP Service, enforced policies, and presto!
What still is left without an answer, is the possible need for the hotfix. Whether it's needed or not, it doesn't cause any harm. Anyway, feel free to try disabling the Adaptive Modes.
Interesting, we have firewall set to adaptive (IPS enforced) I will give this a try in our environment and see if that helps as well.
the same for me. I've desactivated the adaptative mode on the 7 64bits that had the cpu skike and no trouble after installation. But as long as i don't activate the adaptative mode.
I guess this also applies to Learn mode as I have the problem with Learn mode rather than adaptive mode. I will try disabling and see as well..
Edit: disabling "Learn Mode" also seems to worked as a workaround.
I sure hope we don't have to wait for Patch 3 for a proper fix for this.Message was edited by: JeffGerard on 14/11/12 2:28:46 CST PM
Yes, enabling adaptive mode for any significant length of time can cause severe issues with your deployment. I personally don't recommend using it at all, and instead build your rulesets carefully using alternate methods. Wireshark or Microsoft Network Monitor are excellent tools to use if you are not sure which rules an application needs to operate.
Another example of issues caused by Adaptive Mode is this:
Also, in addition to disabling Adaptive Mode, you should also make sure you are not logging for the Firewall traffic that occurs a lot by default. On one of my test policies I had used the Corporate Rules policy and changed the "Untrusted Netbios Traffic" rules to log instead of block. This was causing the Firewall Module to log traffic nearly constantly which filled up the logs much sooner than expected. This caused significant performance issues on the client, and in some cases the firewall seems to have completely stopped logging anything because the file was full (another SR open for why it was not rolling over).