Has anyone else run into a situation where once a HIPS patch is applied (for example patch 7) the details on the system page still show the old patch until the system or framework service are restarted? I've really started noticing this after checking in patch 7 because of a large discrepency between the built in HIPS query in ePO, which uses "Client Version (Host IPS)", and some queries I wrote which use "Hotfix/Patch Version (Host Intrusion Prevention)".
System Details show:
Host Intrusion Prevention
but click on 'More' and you'll see this info which is confirmed when looking at the actual files on the system:
according to the readme the patch and hotfix should be the same:
Host IPS 7.0.0 Patch 7 clients report Patch – 7, Hotfix – 7, and Code Version – 22.214.171.1242 in the ePolicy Orchestrator Properties tab for Host Intrusion Prevention 7.0.0.
With ePolicy Orchestrator 3.6 you can use the Product Protection Summary report to determine which clients received Patch 7. Patch 7 clients will report product version 7.0.0.x..7.
With ePolicy Orchestrator 4.0 you can write a query and search for the Host IPS Plug-in Version. Patch 7 clients will report product version 126.96.36.1992.
yeah - bad news is it seems to require the restart of the agent and then another FULL props wakeup - the inc props doesn't seem to report it back...and this is the information displayed on the main system detail page so if anything it should be updated before the info under 'more'...
from epo patch 2 readme:
Issue: Summary product properties for managed systems such as version number, DAT version and Engine version may be incorrect and not match the detailed product properties which are correct. (Reference: 553913, 550837)
Resolution: The summary product properties now match the detailed product properties and are correct.
The vast majority are 188.8.131.520
The issue goes away with a simple wakeup call so it appears to be a problem with updating those same fields during normal communication.
Check to see if these two regkeys match. If they do match, then it's just a simple matter of performing an Agent Full Wakeup call.
HKLM\Software\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIIPS_7000\Version
HKLM\Software\McAfee\HIP\Version = 184.108.40.2062
HKLM\Software\Network Associates\ePolicy Orchestrator\Application Plugins\HOSTIIPS_7000\Version = 220.127.116.112
Yet this is what is displayed on the 'system details' page:
Host Intrusion Prevention
The 'more' detail page shows the correct versions. A wakeup call will fix this and that is why I've scheduled a query which identifies these mismatches and sends wakeups but my point is that the correct version should be updated on the main page during the normal asci without the need to send a full wakeup.