I'm noticing a number of HIPS IPS Events that are being trigged by a component of the McAfee Agent. Has anyone noticed this before?
Host IPS Event Description: C:\PROGRAM FILES\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE running with the privileges of user NT AUTHORITY\SYSTEM on the system with Agent XXXXXX attempted to perform the following operation(s) on the registry value \REGISTRY\MACHINE\SOFTWARE\MCAFEE\HIP\CONFIG\TRUSTEDAPP\213:create
Source Process Name: C:\PROGRAM FILES\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE
Threat Event ID: 18000
Threat Name: 1002
Looks like the solution would be to add the McAfee signed files to the exclusions as per McAfee KnowledgeBase - How to obtain executable information for Host Intrusion Prevention 8.0 using ... but I'm wondering why by default HIPS wouldn't automatically exclude McAfee signed files? Am I missing something?
Solved! Go to Solution.
1. IPS Logging should not be enabled for self-protection signatures (Windows signatures 1000-1003). They are not meant to be included with normal IPS event tuning (why logging is disabled by default) and can be very noisy.
2. Ensure you have the McAfee Default IPS Rules & Trusted Applications policy assigned to your clients, along with any custom policies.
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide
FAQ — Multiple-instance policies
Host Intrusion Prevention offers two multiple-instance policies: IPS Rules and Trusted
- Applications. These policies allow the application of more than one policy concurrently on a
single client. All other policies are single-instance policies.
The McAfee Default versions of these policies are automatically updated each time Host Intrusion
Prevention security content is updated. For this reason, these policies always need to be assigned
to clients to ensure that security content updates are applied. When more than one instance is
applied, what results is a union of all the instances, called the effective policy.
Thanks for that, appreciate it. Just a couple of days ago we were wondering why there were multiple policies, that makes sense to know that the default policy is how content is updated.. What's interesting is that on this particular system, McAfee Default is assigned, and I do see that McAfee Common Framework is a trusted app, so it's odd that it's triggering this event:
The McAfee Agent exclusion on the default policy looks like this
And this is the information I got from the exe on the client, they look identical.
Signer = CN="McAfee, Inc.", OU=Engineering, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="McAfee, Inc.", L=Santa Clara, S=Oregon, C=US
Description = NAI Product Manager
Hash = 0x915858F90E68EB58C5DDD1148E7A5FED
NOTE: The following signatures will be triggered regardless of whether an application is Trusted for IPS or not: 428, 432, 801, 992, 1000, 1001, 1002, 1020, 1134, 1137.
I would check those systems for some type of policy issue. if they are firing and triggering events to the ePO server, then those signatures are enabled locally and should not be. Common causes are policy enforcement issues, policy assignment rule issues (e.g., different policies being assigned when tagged/not tagged), or different policies assigned than what you think are.
I'm just noticing that the events seem to correlate with the HIPS signature updates. Looking at one PC I see it updated it's signature at 10:14, and then less than a minute later, the event was triggered. Very odd.