cancel
Showing results for 
Search instead for 
Did you mean: 
EPO-Janni
Level 9

Problems using HIP and HIP-Event.log

Hi,

i have problems to allow some programming tools to be used.

In the Event.log of the HIPs onj the affected workstation I found some entries:

...

8 1271932882 0.0.0.0  0 C:\CYGWIN\BIN\BASH.EXE riOn4syHPOkujW2j68qUYA== 1 22
7 1271932928 0.0.0.0  -1 17 255.255.255.255 17152 0.0.0.0 17408 1 0 -1  0
8 1271932945 0.0.0.0  1256 C:\MSYS\BIN\SH.EXE gT20gFxu8diobq9TBZfqtw== 1 22
8 1271932991 0.0.0.0  0 C:\MSYS\BIN\SH.EXE ktOY8JCXbmLRaWrCGz0cWQ== 1 22
8 1271938545 0.0.0.0  1452 C:\WINDOWS\SYSTEM32\CSRSS.EXE myKq41Zq7+4zzkmNvg0v0g== 1 23
...

What is the meaning of this entrys?

To allow access on the programming tools I modified the HIPs rules.

In "Host Intusion Prevention 7.0.4: Anwendungsblockierung" - "Anwendungsblockierregeln (Windows)" I added the following entries:

     Regelname: BASH.EXE

     Anwendungspfad: BASH.EXE

     Anwendungsoptionen:    "activate" - general 

                                         "activate" - craete application

                                         "activate" - allow hooking

     Übereinstimmungsoptionen: "activate" - path only

In In "Host Intusion Prevention 7.0.4: Allgemein" - "Vertrauenswürdige Anwendungen (alle Plattformen)" I added the entries:

     Name: Tools

     Status:  "activate" - general

                 "activate" - für IPS als vertrauenswürdig markieren (alle Plattformen)

                 "activate" - für Firewall als vertrauenswürdig markieren (Windows)

                 "activate" - für das Erstellen von Anwendungs-Hooks als vertrauenswürdig markieren (Windows)

     Vorgänge: C:\CYGWIN\BIN\*

                     C:\MSYS\BIN\*

                     C:\WINDOWS\SYSTEM32\CSRSS.EXE

But the programming application did'nt work with activated Firewall (includung HIP). What can I do to allow the programming tools?

Tests with PINBALL.EXE on the affected PC are positiv. If I allow PINBALL.EXE the programm can be used. In if I block PINBALL.EXE, using

the rules above, PINBALL.EXE can't be used. The HIPs for PINBALL is working propper.

How can I config the HIPs rule, to garant access for useing the programming tools?

Thank you for help.

Greetings from Germany

Janni

0 Kudos
11 Replies
bgable
Level 11

Re: Problems using HIP and HIP-Event.log

Not sure I understand what is being asked here...

0 Kudos
EPO-Janni
Level 9

Re: Problems using HIP and HIP-Event.log

Hi,

how I wrote I want to use some programming software. But if the HIP is activeted the tolls does'nt work. If I dactivate the HIP the software is working without problems. Is it possible to work with the programming software AND activated HIP? Some LOG screenshots I allready posted.

Greetings from Germany

Janni

0 Kudos
bgable
Level 11

Re: Problems using HIP and HIP-Event.log

Run the firewall in adaptive mode to learn any rules you will need.

0 Kudos
McAfee Employee

Re: Problems using HIP and HIP-Event.log

How can I config the HIPs rule, to garant access for useing the programming tools?

Instead of trying to read the event.log file (which does not write human-readable format; by design), read the same log entries in the HIPS Client UI Activity Log file.  This will give you readable details on what's being blocked.  If it's an event with blocked network traffic, then you need to write a firewall rule.  If it's a "Blocked Application", the create an App Blocking rule for the application.  If it's something like an "Attack type" event, then look for the IPS signature violation details and see if you need to create an IPS signature exception for that application.

Trying to tune the HIPS product by reading the event.log file is not very easy or user-friendly.

0 Kudos
NitroCircus
Level 7

Re: Problems using HIP and HIP-Event.log

Sure, but if we don't have access to the machines? Only access to files, no remote control and we want to see and understand the HIPS activity? how can we "translate" the event.log file?

0 Kudos
McAfee Employee

Re: Problems using HIP and HIP-Event.log

You can replace your own event.log file on your system (preferably done on a test system, not production; after stopping HIPS services, to disable the lock on the file) with a copy of the user's.  Then open the HIPS Client UI and click Refresh or Save to export the activity to McAfeeFireLog.txt.

0 Kudos
bgable
Level 11

Re: Problems using HIP and HIP-Event.log

You can use the HIP ClientControl utility to export a client activity log.  This will ensure it is in readable format.

The ClientControl utility is available from the McAfee product download site  under Host Intrusion Prevention, with your valid grant#.

0 Kudos
bgable
Level 11

Re: Problems using HIP and HIP-Event.log

Let me correct myself:

If you don;t have access to the end machine, ClientControl won;t work.

You would have to run it on the end node to convert its enet.log.

We are adding a file input parameter for the 8.0 ClientControl so you can point to any input file (event.log), not on a particular client.

0 Kudos
Chino
Level 7

Re: Problems using HIP and HIP-Event.log

The event log displays in binary and hexadecimal.  We created a program that reads each line and puts the code in a readable format.  If you would like to know the varibles I can post.

0 Kudos