Showing results for 
Show  only  | Search instead for 
Did you mean: 

HIPS Blocking Allowed Traffic

I have a system with HIPS 7 installed, and it's blocking traffic for a program which has an Allow rule created in the Firewall rules. At this point, it only seems specific to this one machine, as I've checked it on another, and it's working properly.

The Allow Rule states that TCP traffic inbound/outbound is allowed, but when you look at the Activity Log, the traffic is being blocked.

HIPS 7.0 Patch 2

The blocked program is AEXNSAGENT, which is the Notification Server Agent for Altiris.

Any ideas as to where to start troubleshooting?
4 Replies

RE: HIPS Blocking Allowed Traffic

what happens if you put it in Learning or Adaptive mode? Does it generate a new rule?

In the existing rule, is the application matched by fingerprint or path? Both?

RE: HIPS Blocking Allowed Traffic

It was the same results with trying to create a new rule. We ended up re-installing HIPS, and it seems to be working now. Not sure what happened, but hope it isn't something that's affecting other machines.


Level 7
Report Inappropriate Content
Message 4 of 5

RE: HIPS Blocking Allowed Traffic

Are you sure the machine hadn't been patched up to Patch 3?

I had some serious issues with Patch 3 silently blocking traffic that should've otherwise been allowed. Seriously buggy...

- if the machine had learnmode off, the traffic would be blocked and it would NOT log (could prove this was happening by turning the firewall off completely and traffic would go through)

- if the machine was in learnmode, the traffic would be allowed through but without prompting to add a rule, NOR logging as allowed traffic

Terrible. After McAfee looked at our logs and rulesets they basically said our best bet was to remove patch 3 completely...nice! Luckily only had it on 200 pilot machines at that point.
Level 7
Report Inappropriate Content
Message 5 of 5

patch 4

A couple fixes in patch for could help or resolve the issue.

Issue: Connection Aware Group matching fails when the incoming traffic destination is localhost. (Reference: 439529)

Resolution: Fixed matching logic of Connection Aware Groups to identify incoming traffic correctly to localhost.

<the fix in this area was seen in a CAG but would occur outside of a CAD as well. It was fixed for all instances. You should run patch 4 in Adaptive mode if you suspect this was the cause. The new rules will now be learned correctly.

Issue: Unrecognized non-IP traffic is not logged. (Reference: 450277)
Resolution: Added logging for unrecognizable non-IP traffic. Both recognized and unrecognized non-IP traffic is now logged.

<This may help you see what is being dropped.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community