cancel
Showing results for 
Search instead for 
Did you mean: 
keith2045
Level 9

HIPS blocking lsass.exe

Jump to solution

I'm trying to install HIPs on my domain controllers, i have two, one virtual and the other physical. They are both running Windows 2008 R2 OS.

On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS blocking lsass.exe

Jump to solution
On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

Does the blocked network traffic event show an application?  If it does not, then you cannot specify an application in the rule; it must remain blank.  If you have an example of the blocked traffic, please post it and I can verify.

0 Kudos
3 Replies
McAfee Employee

Re: HIPS blocking lsass.exe

Jump to solution
On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

Does the blocked network traffic event show an application?  If it does not, then you cannot specify an application in the rule; it must remain blank.  If you have an example of the blocked traffic, please post it and I can verify.

0 Kudos
keith2045
Level 9

Re: HIPS blocking lsass.exe

Jump to solution

The blocked network traffic does not show an application. I'm not able to pull up the specific information on the traffic at the moment, but it was coming into port 49155 and since that is a dynamic port i cant really open that port. I think my only option is to try and figure out how to limit the range of ports for lsass.exe

0 Kudos
keith2045
Level 9

Re: HIPS blocking lsass.exe

Jump to solution

Kary Tankink wrote:

On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

I've upgraded to HIPS to 8.0.0.4422 and still notice this issue. Any other suggestions? When this happens I've noticed that it allows traffic in that is normally blocked.

0 Kudos