I'm having an issue on a couple of my physical machines and HIPs. One of the machines is a domain controller and when HIPs is enabled and running i'm not able to login, logout or reboot the machine. It hangs on please wait while notifying event service or something like that. I noticed in the log i get the following error:
"ERROR normalizeSigner() - Failed to normalize signer ="*"
I think i have received that error before, or at least it looks familiar, I think the issue was because i had set "Signer" to "Allow any signature" on my firewall rules. I've went back and looked and cant find that set on any applications. I'm about to go back and review settings that McAfee adds by default (just incase someone accidently changed those). Other than that i'm out of ideas.
Solved! Go to Solution.
Are you running HIPS 8.0 Patch 2 (build 22.214.171.1241) or higher? This was resolved in Patch 2.
PD23957 - Host Intrusion Prevention 8.0 Patch 2 Release Notes
5. Issue: Firewall rule does not trigger when using the "Allow any signature" option. (Reference: 695368)
Resolution: Fixed the digital signature-matching logic.
You can export the HIPS policy and view it with an editor to look for the APPSIGNER entry where the value is set to *. That should give you the specific rule name to go edit in your policy and correct.
<Setting name="+AppSigner#0" value="*" />
You should also be able to go to the machine and use the ClientControl.exe /exportconfig 3....etc to get a view of the exceptions.
You may also find some useful info using the clientcontrol.exe /log option to get some useful logs in C:\Users\All Users\McAfee\Host Intrusion Prevention folder.
Of course, I also see that my HIPS exceptions are on the computer, but it is still popping...so that is a new mystery.