Showing results for 
Search instead for 
Did you mean: 

IPS Not Triggering Events

I'm currently having trouble with the IPS portion of HIPS.  It is currently deployed in adaptive mode to 20 systems, but no events are triggering and no rules have been created (we've been monitoring both the events in ePO and the HIPS UI on the local machine).  I've tried testing by going so far as to enable blocking highs and trying a double file extension execution, but the activity is not blocked nor logged.  The firewall portion is working as intended, creating dynamic rules and triggering events.  I'm not really sure where to go from here.  Any ideas?

HIPS policy configuration:

Options - Host IPS enabled, adaptive mode enabled,

Protection - Log high severity only

Rules - My default and mcafee default

7 Replies

Re: IPS Not Triggering Events

HIPS 8.0.  Also, I did check to make sure the service is running as well as reboot the system.

Message was edited by: cakeboss on 1/31/13 1:00:13 PM CST

Re: IPS Not Triggering Events

I was able to pull this from firesvc.log.  Anyone happen to know if it's related?

01/31/2013 11:07:29 CLmisc.cpp[2789]    ERROR    (6264) PGPclGetServiceStatusByName() - failed to open SCM (1115).

01/31/2013 11:10:26 MAINWRK[436]    ERROR    (2548) forcePolicyEnforcement() - Failed waiting for new policy check to finish.

01/31/2013 11:11:33 ENTCPWRK[1512]    ERROR    Clear boot time access protection, no action taken.

01/31/2013 11:12:48 wsc.cpp[435]    ERROR    Failed to register the firewall with the Vista SP1 or later WSC (8000000a).

Re: IPS Not Triggering Events

Don't use Adaptive mode with IPS. You really do NOT want to create exceptions. If you really want to see what it is going to do then change Prevent to Log. Start with High and then move onto Medium.

Low severity isn't really what you want. Pretty much no one uses that content. Though occasionally you might promote one to medium.


Re: IPS Not Triggering Events

I found this on this community:

Thank Mr Kary Tankink

Create a file with a double extension <filename>.com.exe

If you have Host IPS IPS Protection policy is set to HIGH: PREVENT, and Signature 413 is set to HIGH Severity, then executing a filename with <filename>.com.exe will trigger this signature. 

I use this all the time (on Win7 64-bit) to trigger violations by executing or, etc.  for testing purposes.

Re: IPS Not Triggering Events

This is one of the methods I tried, but thank you.  I was unable to find a solution and opened a ticket with McAfee.  I'm no longer overseeing the systems, however, so will not know how this was resolved.  One problem we were having was the Event Parser service not starting, though that would seem to be unrelated to the event not triggering on the endpoint. 

Re: IPS Not Triggering Events

not related.

Re: IPS Not Triggering Events

I would not put your stuff into adaptive. I would probably log all, and look for blocks and do what you please with them.

Furthermore, for the 413 IPS Signature, we have found the McAfee signature to be pretty bad at detecting double file extensions. We created a custom and it pretty much catches everything.

Message was edited by: greatscott on 2/8/13 9:16:11 AM CST
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community