cancel
Showing results for 
Search instead for 
Did you mean: 

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

Once again, greatscott comes to the rescue!  Thanks for highlighting this - I am currently working through a post related to some specific signature filtering, and a related point to that (to come) post was how people tune HIPS properly (the simple answer is, I suspect that a large number of people are *not* tuning HIPS properly, or as properly as it could be done).  GS - your initial feedback alludes to this enhanced extension being DoD only - is this the case, and if not, is there any way of obtaining this extension as I havent seen mention of it before (although admit I have not had a dig around yet, following the above!).

Cheers,

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

I believe this is DoD only. If I were on the outside looking in, id be demanding this functionality. As I said, tuning is nearly impossible without the capability to filter based upon IPS Param Value and IPS Param Names. I would suggest anyone who wants this, to submit a PER. Strength in numbers.

jj4sec
Level 11
Report Inappropriate Content
Message 13 of 33

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

I can't find the feature so it looks to be DoD.  If that is the case I'm very disapointed in McAfee that this is an optional feature.

I also posted this to the EPO product manager so I will see how this is evolving.  Thanks for helping.

I need this feature to indeed tune the HIPS events.  Without this, it is impossible to tune it and looks that Hips is just for the happy few waiting for others to be hacked.

Many thanks for the input.  Now I'm more convinced this must be delivered soon and already looks to be available so should have this in days ;-).

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

Quick google for McAfee PER found:

https://secure.mcafee.com/apps/downloads/products/products-enhancement-request.aspx?region=us

and

https://kc.mcafee.com/corporate/index?page=content&id=KB60021 (dated 15 July 2014)

Took the latter option - followed the McAfee customers registration link as it did not accept my McAfee support logon (You can never be sure how systems are linked in the background - it looks like this is indeed separate, and in my opinion should be explicitly called out in the KB).

As an aside, found a PER from Dec 8, 2011 that is 'under review' 🙂

New PER requested - REF: 32137 (Importance set to 'MUST') - I will be forwarding to a number of contacts to push this through, and would advise that others do the same

Title: Enhanced reporting required for Host IPS

Body:

Hi,

As per community post 357808 (https://community.mcafee.com/message/357808), it is believed that non DoD clients do not have the reporting capability available to them as DoD clients.  This restriction looks to apply to all Host IPS specific fields, and looks to have a great impact on clients being able to correctly tune the HIPS product, and also respond efficiently to potential attacks.  I can not see any reason why this functionality would not be available to non-DoD customers, unless the enhanced reporting extensions noted in the community post can not be fully supported for some reason.  If this is the case, then work really needs to be done on this to ensure that it can be supported - in my opinion McAfee have provided a product that is not possible to use in the way that it needs to be used!

I am happy to talk about this further.

Many thanks,

jj4sec
Level 11
Report Inappropriate Content
Message 15 of 33

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

I also have very bad experience with PER.  I escalated 4 weeks ago (mine are not yet reviewed since 2010).  Action plan is started.  Backlog should shrink in comming months and new PER request should be given feedback within one month.

If it exists for DoD.  Than it should be available for everyone.  So PER shouldn't be needed.  I keep updating this one.  I escalated to product manager EPO.

Highlighted

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

I don't understand why this is a DoD-only software enhancement.  Tuning HIPS events properly is impossible without this tool.  I'm not even trying to exaggerate here, it is not possible to PROPERLY tune without this functionality.  I suppose yo could do it if you had maybe 5 endpoint clients and just looked at their individual events all day, but for those of us who prefer queries, this tool is much needed.  It is a joke that this functionality is not built into the HIPS extension.

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

I think we all agree with your frustration, damageinc - what we need now is for the community to speak via PERs - if you could raise one, cross reference the above, along with this community post, and then get as many people as you can who work with Host IPS to do the same, we may get a push on this one!

shakira
Level 10
Report Inappropriate Content
Message 18 of 33

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

I'll chime in here and say the work I do with HIPs would be literally impossible without the use of a popular and powerful log aggregator. We don't touch ePO to dig through events at all.

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

Thanks for chiming in 🙂  The more comments the better, and this helps our cause

For reference, the current status of my above PER is 'Already in product' with no further feedback.  I have escalated with account manager, as I was not overly impressed with that response - we know it is already in the product, but it is not ruddy well available to everybody, which was the purpose of the PER!

jj4sec
Level 11
Report Inappropriate Content
Message 20 of 33

Re: HIPS : how to create a query to filter on the "file" of the Host IPS 8.0 Event Information

dmease729

My escalation is still on-going.  Account manager not so pleased and mentioned PER.  I referred to your experience that that is no option for me ;-).

Keep you informed ;-).  Certainly please all keep on pushing and yes CREATE THE PER's.  Hope my escalation to product management works and if needed I will ask here for the PER numbers to motivate them in delivering this soon.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community