I'm currently having trouble with the IPS portion of HIPS. It is currently deployed in adaptive mode to 20 systems, but no events are triggering and no rules have been created (we've been monitoring both the events in ePO and the HIPS UI on the local machine). I've tried testing by going so far as to enable blocking highs and trying a double file extension execution, but the activity is not blocked nor logged. The firewall portion is working as intended, creating dynamic rules and triggering events. I'm not really sure where to go from here. Any ideas?
HIPS policy configuration:
Options - Host IPS enabled, adaptive mode enabled,
Protection - Log high severity only
Rules - My default and mcafee default
I was able to pull this from firesvc.log. Anyone happen to know if it's related?
01/31/2013 11:07:29 CLmisc.cpp ERROR (6264) PGPclGetServiceStatusByName() - failed to open SCM (1115).
01/31/2013 11:10:26 MAINWRK ERROR (2548) forcePolicyEnforcement() - Failed waiting for new policy check to finish.
01/31/2013 11:11:33 ENTCPWRK ERROR Clear boot time access protection, no action taken.
01/31/2013 11:12:48 wsc.cpp ERROR Failed to register the firewall with the Vista SP1 or later WSC (8000000a).
Don't use Adaptive mode with IPS. You really do NOT want to create exceptions. If you really want to see what it is going to do then change Prevent to Log. Start with High and then move onto Medium.
Low severity isn't really what you want. Pretty much no one uses that content. Though occasionally you might promote one to medium.
I found this on this community: https://community.mcafee.com/message/212795
Thank Mr Kary Tankink
Create a file with a double extension <filename>.com.exe
If you have Host IPS IPS Protection policy is set to HIGH: PREVENT, and Signature 413 is set to HIGH Severity, then executing a filename with <filename>.com.exe will trigger this signature.
I use this all the time (on Win7 64-bit) to trigger violations by executing notepad.com.exe or putty.com.exe, etc. for testing purposes.
This is one of the methods I tried, but thank you. I was unable to find a solution and opened a ticket with McAfee. I'm no longer overseeing the systems, however, so will not know how this was resolved. One problem we were having was the Event Parser service not starting, though that would seem to be unrelated to the event not triggering on the endpoint.
I would not put your stuff into adaptive. I would probably log all, and look for blocks and do what you please with them.
Furthermore, for the 413 IPS Signature, we have found the McAfee signature to be pretty bad at detecting double file extensions. We created a custom and it pretty much catches everything.Message was edited by: greatscott on 2/8/13 9:16:11 AM CST