cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

HIPS blocking lsass.exe

Jump to solution

I'm trying to install HIPs on my domain controllers, i have two, one virtual and the other physical. They are both running Windows 2008 R2 OS.

On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

1 Solution

Accepted Solutions
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: HIPS blocking lsass.exe

Jump to solution
On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

Does the blocked network traffic event show an application?  If it does not, then you cannot specify an application in the rule; it must remain blank.  If you have an example of the blocked traffic, please post it and I can verify.

View solution in original post

3 Replies
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: HIPS blocking lsass.exe

Jump to solution
On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

Does the blocked network traffic event show an application?  If it does not, then you cannot specify an application in the rule; it must remain blank.  If you have an example of the blocked traffic, please post it and I can verify.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: HIPS blocking lsass.exe

Jump to solution

The blocked network traffic does not show an application. I'm not able to pull up the specific information on the traffic at the moment, but it was coming into port 49155 and since that is a dynamic port i cant really open that port. I think my only option is to try and figure out how to limit the range of ports for lsass.exe

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: HIPS blocking lsass.exe

Jump to solution

Kary Tankink wrote:

On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

I've upgraded to HIPS to 8.0.0.4422 and still notice this issue. Any other suggestions? When this happens I've noticed that it allows traffic in that is normally blocked.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community