cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
raja123
Level 7
Report Inappropriate Content
Message 1 of 2

Internet Connectivity lost on installing ndis filter in presence of HIPS 8.0

Hi,

we are planning to deploy/develop ndis filter driver using the sample [Windows NDIS 6.0 Filter Driver sample in C++ for Visual Studio 2013] . As soon i install this ndis filter driver internet connectivity is lost. And I am getting Activity log on HIPS as "Block All Traffic" . Only way to restore internet connectivity is reboot or we need to disconnect and connect back LAN cable.

This issue is happening only in presence of HIPS 8. on uninstalling the HIPS 8.0 this issue is not reproduced.


Sample HIPS Activity Log:

McAfee Host Intrusion Prevention Log

Thursday, April 16, 2015 7:56:52 PM

Time: 4/16/2015 7:56:49 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:46 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:46 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Allowed Incoming UDP -  Source 10.***.***.*** : netbios-ns (137)  Destination 10.***.***.*** : netbios-ns (137)

Matched Rule: Block Untrusted NetBIOS

Time: 4/16/2015 7:56:45 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:44 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:43 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming UDP -  Source 10.***.***.*** : bootpc (68)  Destination 255.255.255.255 : bootps (67)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:41 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Allowed Incoming UDP -  Source 10.***.***.*** : netbios-dgm (138)  Destination 10.***.***.*** : netbios-dgm (138)

Matched Rule: Block Untrusted NetBIOS

Time: 4/16/2015 7:56:36 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** : https (443)  Destination 10.***.***.*** :  (58833)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:36 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** : https (443)  Destination 10.***.***.*** :  (58832)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:22 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Allowed Outgoing UDP -  Source 10.***.***.*** : netbios-ns (137)  Destination 10.***.***.*** : netbios-ns (137)

Matched Rule: Block Untrusted NetBIOS

Time: 4/16/2015 7:56:21 PM

Event: Traffic

IP Address/User: 224.0.0.252

Message: Blocked Outgoing UDP -  Source 10.***.***.*** :  (59910)  Destination 224.0.0.252 :  (5355)

Matched Rule: Block All Traffic

I am not able to decode exact meaning of HIPS log.

Please provide any suggestion to resolve this issue.

1 Reply
akucyn
Level 7
Report Inappropriate Content
Message 2 of 2

Re: Internet Connectivity lost on installing ndis filter in presence of HIPS 8.0

Hey Raja,

From your thread it appear you want to "deploy/develop ndis filter driver"? So this is more a developer question and not a typical user question.

I don't know much developing of NDIS, however, HIPS is sensitive to other NDIS filters and might detect your driver as an intrusion or simply something is wrong. Please make sure that your new filter is not taking a higher place than HIPS NDIS driver, i.e here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network.

Hope this helps.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community