On a Air Force network,MCafee Host Intrusion Prevention is installed by the Network Operations Support Center. It is running on Xp and Vista systems. We also use Scriptlogic Desktop Authority. Xp systems only are blowing up at user logon.
in the "Activity" log when I run McAfeeFire.exe,it shows that
"Windows Explorer" is blocked, Message is "Attack typerotect Hips"
the Scriptogic is launched,the screen flashes on and off about 10 times
"Explorer.exe" errors. When you try to input any characters in to any
window,that windows disappears. If I disable HIPS from
running,this does not happen at login. It seems that uninstalling,rebooting, and reinstalling Hips stops this. This is happening on 1800 systems. Looking for easier fix than the current one,anyone here had an experience with this?
on first look I would say that HIPS self defension feature triggers when something from Scriptlogic is being executed by Explorer.exe. I would follow Scriptlogic's policies - I gathered this might be a Windows policy management-type software - whether such a policy enforcement or rigths control might interfere with HIPS. On the other hand I would also check if HIPS has an exclusion feature for this type of rule. Althoguh it seems that HISP is only seeing explorer.exe not more which suggests that the offending code is either in a program run by startup or in the registry under HKLM\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, which is also a frequented place for other code to load when explorer.exe loads.
Maybe scriptlogic has a module that you might not need (very often) which could be removed or disabled from loading from places like above.
Hope I could give an idea.
Ordinarily I'd say that perhaps this was an example to create an exception. However, I'd really suggest not doing that since a) it involves self-protection of Host IPS itself and b) Windows Explorer is the (shill) trigger. If it wasn't self-protection I'd be more inclined to say "exception" or if you could explicitly identify the known scriptlogic processes involved.
I highly suspect there's a driver conflict here since remote tools like this often times employ add-on video drivers or drivers that look at the video subsystems.
This is a case where you definitely want to open a support ticket. Perhaps there's something on the Host IPS side that can be done.