cancel
Showing results for 
Search instead for 
Did you mean: 
raja123
Level 7

Internet Connectivity lost on installing ndis filter in presence of HIPS 8.0

Hi,

we are planning to deploy/develop ndis filter driver using the sample [Windows NDIS 6.0 Filter Driver sample in C++ for Visual Studio 2013] . As soon i install this ndis filter driver internet connectivity is lost. And I am getting Activity log on HIPS as "Block All Traffic" . Only way to restore internet connectivity is reboot or we need to disconnect and connect back LAN cable.

This issue is happening only in presence of HIPS 8. on uninstalling the HIPS 8.0 this issue is not reproduced.


Sample HIPS Activity Log:

McAfee Host Intrusion Prevention Log

Thursday, April 16, 2015 7:56:52 PM

Time: 4/16/2015 7:56:49 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:46 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:46 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Allowed Incoming UDP -  Source 10.***.***.*** : netbios-ns (137)  Destination 10.***.***.*** : netbios-ns (137)

Matched Rule: Block Untrusted NetBIOS

Time: 4/16/2015 7:56:45 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:44 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:43 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming UDP -  Source 10.***.***.*** : bootpc (68)  Destination 255.255.255.255 : bootps (67)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:41 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Allowed Incoming UDP -  Source 10.***.***.*** : netbios-dgm (138)  Destination 10.***.***.*** : netbios-dgm (138)

Matched Rule: Block Untrusted NetBIOS

Time: 4/16/2015 7:56:36 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** : https (443)  Destination 10.***.***.*** :  (58833)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:36 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Blocked Incoming TCP -  Source 10.***.***.*** : https (443)  Destination 10.***.***.*** :  (58832)

Matched Rule: Block All Traffic

Time: 4/16/2015 7:56:22 PM

Event: Traffic

IP Address/User: 10.***.***.***

Message: Allowed Outgoing UDP -  Source 10.***.***.*** : netbios-ns (137)  Destination 10.***.***.*** : netbios-ns (137)

Matched Rule: Block Untrusted NetBIOS

Time: 4/16/2015 7:56:21 PM

Event: Traffic

IP Address/User: 224.0.0.252

Message: Blocked Outgoing UDP -  Source 10.***.***.*** :  (59910)  Destination 224.0.0.252 :  (5355)

Matched Rule: Block All Traffic

I am not able to decode exact meaning of HIPS log.

Please provide any suggestion to resolve this issue.

0 Kudos
1 Reply
akucyn
Level 7

Re: Internet Connectivity lost on installing ndis filter in presence of HIPS 8.0

Hey Raja,

From your thread it appear you want to "deploy/develop ndis filter driver"? So this is more a developer question and not a typical user question.

I don't know much developing of NDIS, however, HIPS is sensitive to other NDIS filters and might detect your driver as an intrusion or simply something is wrong. Please make sure that your new filter is not taking a higher place than HIPS NDIS driver, i.e here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network.

Hope this helps.

0 Kudos