cancel
Showing results for 
Search instead for 
Did you mean: 
kink80
Level 12

HIPS Event Log

Jump to solution

One of my machines is logging an even every 2-3 seconds as a Blocked Incoming UDP event. We are running HIPS 7.0.0.953 with Patch/Hotfix 3.0.5. The application listed is the ntoskrnl.exe. We have ran a full scan on this machine with McAfee VSE 8.7i DAT 5872 and it found nothing. Also ntoskrnl.exe is not running as a process on the machine. Has anyone ran into this before?

0 Kudos
1 Solution

Accepted Solutions
bgable
Level 11

Re: HIPS Event Log

Jump to solution

Depending on the port, it could be netbios-ns traffic on 137.  The system (ntoskrnl.exe) would show up as the associated application.

BTW. the latest patch release is patch 6 (7.0.0.1070) and patch 7 is expected to release in March.   I would advise upgrading to the most current patch release if you can.

0 Kudos
6 Replies
bgable
Level 11

Re: HIPS Event Log

Jump to solution

Depending on the port, it could be netbios-ns traffic on 137.  The system (ntoskrnl.exe) would show up as the associated application.

BTW. the latest patch release is patch 6 (7.0.0.1070) and patch 7 is expected to release in March.   I would advise upgrading to the most current patch release if you can.

0 Kudos
kink80
Level 12

Re: HIPS Event Log

Jump to solution

Looks like you may be right. Now that I looked at the HIPS event log all of the blocked IPs are coming from a specific local subnet. We have not upgraded the HIPS client because we are in a healthcare setting and when the new HIPS client is deployed it drops the network connection for 20-30 seconds. We have been putting this off for that reason. From what I understand this is not going to change in the future either and McAfee states that it changed its installatin method to be compliant with Microsofts standards.

0 Kudos
bgable
Level 11

Re: HIPS Event Log

Jump to solution

The HIP 7.0 firewall NDIS intermediate miniport filter is based on NDIS 5.0 spec.  Basically when any 5.0 NDIS driver install or uninstall occurs, the operating system must tear down the network stack and restack it with the new NDIS driver.

The HIP 8.0 product will be built on NDIS 6.0 spec which adds the functionality of 'state' awareness for NDIS drivers.

So, any 6.0 spec NDIS can be "paused" or "resumed" during anothers' install or uninstall.

Hence, the network stack does not need to be torn down by the operating system and no loss of network connectivity will occur.  8.0 will ship in Q310.

Message was edited by: bgable on 1/27/10 8:43:04 AM PST
0 Kudos
kink80
Level 12

Re: HIPS Event Log

Jump to solution

Thanks for the update on NDIS specs. That will be a great benefit for us in HIP 8.0.

0 Kudos
kink80
Level 12

Re: HIPS Event Log

Jump to solution

But does this still means that when we upgrade from 7.0.953 to version 8 that the stacks will still be torn down?

0 Kudos
McAfee Employee

Re: HIPS Event Log

Jump to solution

A HIPS upgrade comprises of an uninstall of the existing install and then an install of the newer version. The uninstall of HIPS 7 would need to tear down the networking stack.

0 Kudos