cancel
Showing results for 
Search instead for 
Did you mean: 
dzemdegs
Level 7

HIPS and sccm (configmgr) client agent installation

Jump to solution

Greetings,

       We are getting problems installing the configmgr 2007 agent and it appears to be HIPS as we can install without any problems when we disable HIPS. The issue is that msiexec is trying to register DLLs which HIPS doesnt like. Strange thing is that 75% of machines install OK even with HIPS installed.

     I just wanted to confirm that there are only 3 answers to our problem:

     Dont use mcafee - We cannot do that one

    exclude msiexec (windows installer) - We would not be allowed to do that one

   Upgrade to HIPS v8 - we are currently running version 7. Can anyone confirm that v8 will definitely fix the problem? And if so, how is v8 different that it now allows dll registration by msiexec?

Thanks

David

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

Yes, the Host IPS ClientControl tool is the utility I would recommend using.

PD22145 - Host Intrusion Prevention - Client Control Utility information

0 Kudos
22 Replies
McAfee Employee

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

HIPS 7.0 has an architecture issue with msiexec.exe.  This has been resolved in HIPS 8.0.  The only workarounds with HIPS 7.0 are to disable the Host IPS module when performing any MSI-based actions, or implement the workaround in the below KB article.

See: KB60391 - Third-party software fails to install with Host Intrusion Prevention 7.0 IPS module enabled

0 Kudos
dzemdegs
Level 7

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

Thanks for your response. Id be interested to know why 75% of installations succeed. Does HIPS use some kind of fuzzy logic to detect numer of dll registrations within a given amount of time?

Cheers

David

0 Kudos
McAfee Employee

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

It has to do with the process injection into short-lived msiexec processes.  Sometimes msiexec spawns non-short-lived processes and HIPS handles those threads fine.

0 Kudos
dzemdegs
Level 7

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

Thanks - We are unable to install V8. Therefore it appears that disabling the Host IPS module temporarily for the duration of the install is the only way we can do this.

Do you have a KB article that describes how to do this? Remembering that the service is configured to be unstoppable and unpausible - we are looking to create an MSI wrapper that programmatically disables HIPS, installs the agent, then re-enables HIPS. This MSI will run under the SYSTEM context during machine startup. So we need actual programming sequence code - is that available? Im thinking that it may be a regedit then stopping service(s)?

Thanks

David

0 Kudos
dzemdegs
Level 7

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

After a bit more digging would I be able to do this by downloading the clientcontrol utility, executing a /stop, installing my agent, then executing a /start?

0 Kudos
McAfee Employee

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

Yes, the Host IPS ClientControl tool is the utility I would recommend using.

PD22145 - Host Intrusion Prevention - Client Control Utility information

0 Kudos
dzemdegs
Level 7

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

Thanks Kary - You have been enormously helpful!

One last thing - To run this utility with the /stop switch you need a password. What tool is used to find/set this password? Is it a password that stays the same until you reset it or is it a password that automatically changes on a regular basis? All the doco says is that it is an "administrator or time based" password.

Thanks

David Z

0 Kudos
McAfee Employee

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

Yes, it is the HIPS Administrator password set by ePO policy or a generated time-based password.

0 Kudos
dzemdegs
Level 7

Re: HIPS and sccm (configmgr) client agent installation

Jump to solution

Sorry to trouble you again - our security team has never dealt with this before and are having trouble finding this in their documentation.

Exactly how do you generate a time based password for use by the clientcontrol utility and how long does the password last? Is the time also configurable? Do you have a link to any doco that describes in detail how to configure the time based password please?

Thanks heaps

David Z

0 Kudos