Showing results for 
Search instead for 
Did you mean: 
Level 7

HIPS activity logs is (sometimes) showing a blocked incoming data before the incoming connection is fully established


I've been experimenting some weird problem with the log generated by McAfee HIPS. I wrote a quick python script that perform 100 requests to a website and for some reason that I don't understand, I see "blocked incoming traffic" even if the connection is not yet established !

I've uninstalled the Microsoft QoS driver from the wireless card just in case that it was interfering with the packet order ... and fire up Wireshark to see if my script was doing anything weird but all requests are made exactly the same way.

I'm using McAfee HIPS build 2919.

Any ideas why it's causing this ? Is there a patch available ?

Is it a false positive ? It looks like it is, the data is received even if it's written has blocked.

Additional information :

1. The script I've used to produce this bug

2. A screenshot from my activity log (looks at the blocked incoming data)

3. The raw log file McAfeeFireLog6.txt

EDIT (additional information)

Problem seems to be similar to this one:

However, it looks like it covers all the ports and the protocol no matter what the interface that is being used...

I've tested on HTTPs too, working on a proof of concept for UDP (DNS, LDAP).

EDIT 2 (additional information)

McAfee HIPS on Windows 8 is randomly sending spurious packet even after a FIN, ACK has been sent by the client.

Wireshark capture screenshot of one of the occurence that happened


0 Kudos