cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Threat source column and threat target column are equal

We are using ePO 4.5 and HIPS 7.0.0.1102 with Patch 7. When we run a query to show, for example, the desktop with more triggered HIPS signatures and we use threat source column and threat target column in the result table to show the IPv4 address we get the same value in both columns, wich is IPv4 address of the system name. Is this normal? How could we get the threat source?

Regards.

6 Replies
McAfee Employee mtareiq
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Threat source column and threat target column are equal

This is actually the expected behavior. HIPS modules by the time they process API and system calls at the OS level no longer have the target IP addresses available. The generic template it uses to populate information for security events does have section for source and destination IP addresses. It simply populates with the system's IP address.

Re: Threat source column and threat target column are equal

Ok, but then how can we determine the source of the attack? How should we troubleshot the attacks?

McAfee Employee mtareiq
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Threat source column and threat target column are equal

Host IPS essentially provides shielding for potential vulnerabilities on your system and is not necessarily slanted towards or scaled for data forensics for attack sources. It intercepts API and system calls and source IPs aren't mostly not available they also typically don't have much context at that OS level.

Re: Threat source column and threat target column are equal

Once HIPS has signatures of type Network IPS to us it makes perfect sense that we can detect the source of the attacks.

McAfee Employee mtareiq
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Threat source column and threat target column are equal

You should be able to see the source IPs in the NIPS sigs.

Re: Threat source column and threat target column are equal

You're right. Thank you.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community