Had a question related to end users disabling the firewall through the McAfee end point agent. We have set to refresh every 15 min and in talks about hiding that feature in the end point agent. My question is related to logging that activity of an end user disabling the firewall. Is it logged somewhere locally on the machine or to ePO? I have looked at the event logs on a machine that I am testing and did not see any generated events for that actions
I know that I can generate a report in ePO pulling from the system all end points that have the firewall disabled but that report is only valid from the last end point agent check in. So I would manually have to pull one of the end points from the report and manually send it a wake up call to get the latest information from the that end point.
Solved! Go to Solution.
My question is related to logging that activity of an end user disabling the firewall. Is it logged somewhere locally on the machine or to ePO? I have looked at the event logs on a machine that I am testing and did not see any generated events for that actions
Users disabling the HIPS IPS/Firewall modules via the McAfee Agent Quick Settings menu does not generate any events locally or via ePO.
Moved to HIPs for faster response..
---
Peter
Moderator
My question is related to logging that activity of an end user disabling the firewall. Is it logged somewhere locally on the machine or to ePO? I have looked at the event logs on a machine that I am testing and did not see any generated events for that actions
Users disabling the HIPS IPS/Firewall modules via the McAfee Agent Quick Settings menu does not generate any events locally or via ePO.
Thank you - thats what I thought I just wanted to confirm it
users can not disable the firewall unless they know the password to unlock it, you should change the default password for the unlock if you do not want users to disable it. I am assuming that the firewall option is enabled via epo for you clients.
alhaawi wrote:
users can not disable the firewall unless they know the password to unlock it
If you have enabled the option HIPS 8 General -> ClientUI -> Advanced options -> Allow disabling of features from the tray icon, then users can disable IPS and/or FW without the HIPS administrator or time-based password.
Side question. How long does it stay off for? Just until the next policy enforcement?
The disabled feature remains disabled until restored by the menu command or the next policy
enforcement.
This depends on whether you have the Override Firewall at policy enforcement option enabled or not.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA