We are seeing some random issues on a handful of our servers, at different times. The issues have the same behavior: HIPS starts blocking outgoing connections(Database, DNS, etc). When checking the HIPS logs it shows the traffic pattern as backwards.
For example we have a web server(Windows 2012R2 virtual), all outgoing traffic is allowed. It can normally make a call to our database server(Windows 200R2 - no firewall). Source port on the web server is a random high port, destination port on the SQL server is 1433. When the issue is occurring we see logs similar to below(I masked the IP):
As you can see this appears to be seeing the connection as initiating from the SQL server. Once we rebooted the web server everything was back to normal. This happens on 2-3 servers at random times. I figure one of 2 things is happening: 1) McAfee has an issue where it sees outgoing traffic as incoming. 2) The return connection from the destination is being seen as a new connection, rather than open.