cancel
Showing results for 
Search instead for 
Did you mean: 
d4rmsc
Level 8

Testing question - IPS protection levels

Jump to solution

Hi

I installed HIPS 8 and it is set up and running fine. I am now looking and the different types of events and how they are handled so set the IPS Protection to log only for critcal (high) severity events to monitor and test. I created a double file extension (ie calc.exe.com), troed to run it but it was blocked (signature id 413).

Adaptive mode not set. IPS protection policy is set to log for high and medium severities so why is it blocking the double file extension execution, should it allow it and just log the event since currently it does not appear to be abiding to the IPS protection policy?

Please help, thanks

on 10/05/11 05:38:30 CDT
0 Kudos
1 Solution

Accepted Solutions
d4rmsc
Level 8

Re: Testing question - IPS protection levels

Jump to solution

After thorough mind boggling, I managed to get it working!!! Basically new policy changes are not enforced when the client UI is open and unlocked!! I closed the UI, woke up the agent and the new protection levels worked, very happy now!!

Lucklily read this by chance in the help section of ePO.


Cant believe there was no issue like this previously discussed in the forum however should hopefully help others in the future

Message was edited by: d4rmsc on 11/05/11 04:00:40 CDT
0 Kudos
4 Replies
metalhead
Level 12

Re: Testing question - IPS protection levels

Jump to solution

Are you sure it is blocked by HIPS ? Is Virusscan Enterprise also installed - perhaps the Access protection feature is blocking the double extension ...

0 Kudos
d4rmsc
Level 8

Re: Testing question - IPS protection levels

Jump to solution

Yeah its blocked by HIPS, it comes up in the HIPS client user interface and also under HOST IPS 8.0 > Events, IPS Events where the detecting product name is HIPS

Even when I set the IPS protection to the default McAfee Warning one and wake up agent, this is still getting blocked.

In another test I also increased the protection to prevent medium (warning) severitiy intrusions however these were still being permitted.

It seems like the IPS protection settings however I set them are not being applied to the policy for some reason, any ideas pls?

0 Kudos
metalhead
Level 12

Re: Testing question - IPS protection levels

Jump to solution

Can you post the contect (properties or screenshot) of the event showing up in epo ?

0 Kudos
d4rmsc
Level 8

Re: Testing question - IPS protection levels

Jump to solution

After thorough mind boggling, I managed to get it working!!! Basically new policy changes are not enforced when the client UI is open and unlocked!! I closed the UI, woke up the agent and the new protection levels worked, very happy now!!

Lucklily read this by chance in the help section of ePO.


Cant believe there was no issue like this previously discussed in the forum however should hopefully help others in the future

Message was edited by: d4rmsc on 11/05/11 04:00:40 CDT
0 Kudos