I am attempting to install an adobe application, I cannot install Adobe application due to HIPS blocking it. I've created a Firewall Rule
Action: Allow
Direction: Either
Media: All types
Protocol: TCP/IPv4 and 6
Local Networks: All vlans on our network
Remote Service: 80, 443
Applications: ConnectSetup.exe
When I apply the policy to a test device, I see that it is being blocked from installation within the HIPS logs:
Event: Traffic
IP Address/User: 23.46.61.118
Description: Connect App web Setup (ConnectSetup.exe)
Path: C:\Users\\Downloads\ConnectSetup.exe
Message: Blocked Outgoing TCP - Source : (51807) Destination 23.46.61.118 : https (443)
Matched Rule: 443_OUT_BLOCK
Hi @Jdtjordan1983,
Thank you for your post. Looks like the Rule: 443_OUT_BLOCK is placed higher than the allow rule you have created. I would request you to look into the policy in place to confirm the same. Please keep us posted!
Hi @Jdtjordan1983,
This suggestion is due to the fact that we process our Firewall Rules from Top to bottom, So if you prefer allowing any application because of it being blocked by one of your rules, you need to place the allow rule on top of the block rule for it to take effect. I sincerely hope this helps! 🙂
Good morning @AdithyanT,
I've placed the firewall rule I created right above the 443_Out_Block rule, still unable to install the application.
Hi @Jdtjordan1983,
Thank you for your response. This would mean that the allow rule criteria is not being met by the traffic generated by the application.
The Best logic to be followed here is to relax the rule from being specific to generic on each category. I would start with this part: Local Networks: All vlans on our network
Have you tried the below KBA:
How to troubleshoot a network-facing application or traffic that the Host Intrusion Prevention firewall is blocking: https://kc.mcafee.com/corporate/index?page=content&id=KB67055
Also Adaptive mode might come in handy to learn the rule that is required here. Please let me know if this is of any help to you, otherwise, logging a support case would be the best way to go here.
@Jdtjordan1983 Can you please verify how you defined the ConnectSetup.exe inside the FW rule? A common misconfiguration is defining the incorrect FILE DESCRIPTION value (if used).
KB71735 - Purpose of the executable File Description field in Endpoint Security Firewall and Host Intrusion Prevention
Check and see when the last time that system successfully pulled an updated from the ePO. The exception may be correct but HIPs may not be functioning properly.
I've built a new ePO server we're at version 5.10 now. I'm still experiencing the same issue as previously.
Hi @Jdtjordan1983,
Thank you for updating us. I am not sure if an ePO upgrade would resolve this issue. I would recommend creating a Service Request so that we can have better investigation via the logs for you to resolve this issue.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA