cancel
Showing results for 
Search instead for 
Did you mean: 
andymease
Level 10

HIPS versions mismatch

Has anyone else run into a situation where once a HIPS patch is applied (for example patch 7) the details on the system page still show the old patch until the system or framework service are restarted?  I've really started noticing this after checking in patch 7 because of a large discrepency between the built in HIPS query in ePO, which uses "Client Version (Host IPS)", and some queries I wrote which use "Hotfix/Patch Version (Host Intrusion Prevention)".

Example:

System Details show:

Host Intrusion  Prevention

Product Version 7.0.0.953
Language English
Hotfix/Patch Version 3.0.5
Service Pack

but click on 'More' and you'll see this info which is confirmed when looking at the actual files on the system:

ProductVersion7.0.0.1102
CodeVersion7.0.0.1102
Hotfix7
Patch7
PluginVersion7.0.0.1102

according to the readme the patch and hotfix should be the same:

Version Reporting

Host IPS 7.0.0 Patch 7 clients report Patch – 7Hotfix – 7, and Code Version – 7.0.0.1102 in the ePolicy  Orchestrator Properties tab for Host Intrusion Prevention 7.0.0.

With ePolicy Orchestrator 3.6 you can use the  Product Protection Summary report to determine which clients received Patch 7.  Patch 7 clients will report product version 7.0.0.x..7.

With ePolicy Orchestrator 4.0 you can write a query  and search for the Host IPS Plug-in Version. Patch 7 clients will report  product version 7.0.0.1102.

0 Kudos
9 Replies
HupSkiDup
Level 11

Re: HIPS versions mismatch

I have noticed similar, never looked in to it, great job finding it.

0 Kudos
andymease
Level 10

Re: HIPS versions mismatch

yeah - bad news is it seems to require the restart of the agent and then another FULL props wakeup - the inc props doesn't seem to report it back...and this is the information displayed on the main system detail page so if anything it should be updated before the info under 'more'...

Andrew

0 Kudos
andymease
Level 10

Re: HIPS versions mismatch

FYI - http://community.mcafee.com/message/135309#135309

from epo patch 2 readme:

Issue: Summary product properties for managed systems such as version number, DAT version and Engine version may be incorrect and not match the detailed product properties which are correct. (Reference: 553913, 550837)

Resolution: The summary product properties now match the detailed product properties and are correct.

0 Kudos
andymease
Level 10

Re: HIPS versions mismatch

Well we applied ePO Patch 3 and are still seeing this issue with HIPS versioning...was this fix only for VSE?

Andrew

0 Kudos
McAfee Employee

Re: HIPS versions mismatch

What McAfee Agent build are you running?

0 Kudos
andymease
Level 10

Re: HIPS versions mismatch

The vast majority are 4.5.0.1270 

The issue goes away with a simple wakeup call so it appears to be a problem with updating those same fields during normal communication.

Andrew

0 Kudos
McAfee Employee

Re: HIPS versions mismatch

Check to see if these two regkeys match.  If they do match, then it's  just a simple matter of performing an Agent Full Wakeup call.

HKLM\Software\McAfee\HIP\Version

&

HKLM\Software\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIIPS_7000\Version

0 Kudos
andymease
Level 10

Re: HIPS versions mismatch

Example machine:

HKLM\Software\McAfee\HIP\Version = 7.0.0.1102

HKLM\Software\Network Associates\ePolicy Orchestrator\Application  Plugins\HOSTIIPS_7000\Version = 7.0.0.1102

Yet this is what is displayed on the 'system details' page:

Host Intrusion  Prevention

Product Version 7.0.0.953
Language English
Hotfix/Patch Version 3.0.5
Service Pack

The 'more' detail page shows the correct versions.  A wakeup call will fix this and that is why I've scheduled a query which identifies these mismatches and sends wakeups but my point is that the correct version should be updated on the main page during the normal asci without the need to send a full wakeup.

Andrew

0 Kudos
McAfee Employee

Re: HIPS versions mismatch

Make sure you're running a recent HIPS 7.0 extension (7.0.5 is the latest), but this appears to be a McAfee Agent (or ePO) issue, not HIPS.

0 Kudos