cancel
Showing results for 
Search instead for 
Did you mean: 
xmarine1743
Level 7

HIPS

On a Air Force network,MCafee Host Intrusion Prevention is installed by the Network Operations Support Center. It is running on Xp and Vista systems. We also use Scriptlogic Desktop Authority. Xp systems only are blowing up at user logon.

in the "Activity" log when I run McAfeeFire.exe,it shows that

"Windows Explorer" is blocked, Message is "Attack typeSmiley Tonguerotect Hips"

When

the Scriptogic is launched,the screen flashes on and off about 10 times

with

"Explorer.exe" errors. When you try to input any characters in to any

window,that windows disappears. If I disable HIPS from

running,this does not happen at login.  It seems that uninstalling,rebooting, and reinstalling Hips stops this. This is happening on 1800 systems. Looking for easier fix than the current one,anyone here had an experience with this?

0 Kudos
2 Replies
apoling
Level 14

Re: HIPS

Hello,

on first look I would say that HIPS self defension feature triggers when something from Scriptlogic is being executed by Explorer.exe. I would follow Scriptlogic's policies - I gathered this might be a Windows policy management-type software -  whether such a policy enforcement or rigths control  might interfere with HIPS. On the other hand I would also check if HIPS has an exclusion feature for this type of rule. Althoguh it seems that HISP is only seeing explorer.exe not more which suggests that the offending code is either in a program run by startup or in the registry under HKLM\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, which is also a frequented place for other code to load when explorer.exe loads.

Maybe scriptlogic has a module that you might not need (very often) which could be removed or disabled from loading from places like above.

Hope I could give an idea.

Attila

0 Kudos
petersimmons
Level 12

Re: HIPS

Ordinarily I'd say that perhaps this was an example to create an exception. However, I'd really suggest not doing that since a) it involves self-protection of Host IPS itself and b) Windows Explorer is the (shill) trigger. If it wasn't self-protection I'd be more inclined to say "exception" or if you could explicitly identify the known scriptlogic processes involved.

I highly suspect there's a driver conflict here since remote tools like this often times employ add-on video drivers or drivers that look at the video subsystems.

This is a case where you definitely want to open a support ticket. Perhaps there's something on the Host IPS side that can be done.

0 Kudos