cancel
Showing results for 
Search instead for 
Did you mean: 
McDuff
Level 10

Remotely Determining if HIPS IPS or Firewall is Disabled

Hello,

Is there a way that you can remotely tell if somebody has disabled the firewall or IPS on their HIPS 6.1 client? If so, is there any way this could generate an alert in ePO 3.6.1
alert?

Thanks in advance.
0 Kudos
5 Replies
Raja
Level 9

RE: Remotely Determining if HIPS IPS or Firewall is Disabled

There is no way, currently, to determine if the firewall has been disabled.
If you don't want end users from turning it off, you can lock down the local GUI.

-R-
0 Kudos
lfah2000
Level 10

RE: Remotely Determining if HIPS IPS or Firewall is Disabled


ExcludeServers=0
Display=1
LocalLog=1
ServerLog=1

and this the log
"ComputerName","User ID","UserName","Model","Serial","Tijd","FrameworkPath","FrameWorkVersion","FrameworkStatus","FrameworkStartup","Framework Install","VSEPath","VSEVersion","EngineVersion","DATVersion","DATDate","McShieldStatus","McShieldStartup","TaskManagerStatus","TaskManagerStartup","HIPPath","HIPVersion","HIPHotFix","HostIntrusionStatus","HostIntrusionStartup","FireWallStatus","OS","Service Pack","Type"
"XXX","XXX","ADName","Latitude D610","1234","2008:10:06:08:25:12","C:\Program Files\McAfee\Common Framework","4.0.0.1180","SERVICE_RUNNING","SERVICE_AUTO_START","NO","C:\Program Files\McAfee\VirusScan Enterprise\","8.7.0.570","5300.2777","5398","2008/10/03","SERVICE_RUNNING","SERVICE_AUTO_START","SERVICE_RUNNING","SERVICE_AUTO_START","0","0","0","Service does not exist","Service does not exist","XP Firewall Stopped","Windows Vista","Service Pack 1","Workstation"

The size of the logfile is limited to 6 Mb. It will start a new one.

If you want I can put it somewhere or email it.

(you can view the file with excel, it is a CSV)
0 Kudos
chuck92103
Level 7

RE: Remotely Determining if HIPS IPS or Firewall is Disabled



Yes. go into ePO console and look up the system properties for the host.

You will see settings like...

fwenable=true/false
HostIPSenable=true/false
OnAccess=true/false

etc.

I don't remember the exact names, but it is all in ePO. We do custom queries on this data.
0 Kudos
Raja
Level 9

RE: Remotely Determining if HIPS IPS or Firewall is Disabled

That data in the ePO console only reflects the state at the last ASCI. It's possible that ePO could show it on and it's really off.

-R-
0 Kudos
jsuuronen
Level 7

RE: Remotely Determining if HIPS IPS or Firewall is Disabled

is that really much different than any product managed in EPO?

if you really want to, send a wakeup call and collect details from the box prior to checking in EPO.

but setting a local policy to enable ips, with a short enforcement time should keep the data in EPO pretty accurate, unless the agent breaks (which seems to be often, unfortunately).
0 Kudos