cancel
Showing results for 
Search instead for 
Did you mean: 
jase4867
Level 7

HIPS Blocking Allowed Traffic

I have a system with HIPS 7 installed, and it's blocking traffic for a program which has an Allow rule created in the Firewall rules. At this point, it only seems specific to this one machine, as I've checked it on another, and it's working properly.

The Allow Rule states that TCP traffic inbound/outbound is allowed, but when you look at the Activity Log, the traffic is being blocked.

HIPS 7.0 Patch 2

The blocked program is AEXNSAGENT, which is the Notification Server Agent for Altiris.

Any ideas as to where to start troubleshooting?
0 Kudos
4 Replies
woodsjw
Level 7

RE: HIPS Blocking Allowed Traffic

what happens if you put it in Learning or Adaptive mode? Does it generate a new rule?

In the existing rule, is the application matched by fingerprint or path? Both?
0 Kudos
jase4867
Level 7

RE: HIPS Blocking Allowed Traffic

It was the same results with trying to create a new rule. We ended up re-installing HIPS, and it seems to be working now. Not sure what happened, but hope it isn't something that's affecting other machines.

Thanks,

Jason
0 Kudos
bxs
Level 7

RE: HIPS Blocking Allowed Traffic

Are you sure the machine hadn't been patched up to Patch 3?

I had some serious issues with Patch 3 silently blocking traffic that should've otherwise been allowed. Seriously buggy...

- if the machine had learnmode off, the traffic would be blocked and it would NOT log (could prove this was happening by turning the firewall off completely and traffic would go through)

- if the machine was in learnmode, the traffic would be allowed through but without prompting to add a rule, NOR logging as allowed traffic

Terrible. After McAfee looked at our logs and rulesets they basically said our best bet was to remove patch 3 completely...nice! Luckily only had it on 200 pilot machines at that point.
0 Kudos
exesys
Level 7

patch 4

A couple fixes in patch for could help or resolve the issue.

Issue: Connection Aware Group matching fails when the incoming traffic destination is localhost. (Reference: 439529)

Resolution: Fixed matching logic of Connection Aware Groups to identify incoming traffic correctly to localhost.

<the fix in this area was seen in a CAG but would occur outside of a CAD as well. It was fixed for all instances. You should run patch 4 in Adaptive mode if you suspect this was the cause. The new rules will now be learned correctly.



Issue: Unrecognized non-IP traffic is not logged. (Reference: 450277)
Resolution: Added logging for unrecognizable non-IP traffic. Both recognized and unrecognized non-IP traffic is now logged.

<This may help you see what is being dropped.
0 Kudos