I have a feeling I know the responses I will receive, but here goes...! As part of a displacement of another vendors HIPS, I have been asked if that vendors program could remain installed (but disabled) while McAfee HIPS is tested in a PoC. I would suggest that the answer is no, because a)it scares me, b)even if the other vendors HIPs is 'disabled' it may still have hooks in the system that affect McAfee, and also 'disabled' appears to be a term open to interpretation by a number of vendors, c)it scares me.
Alternatively, to compromise, as this is a PoC, I can see us having the alternative suggestion that we can try it on a small number of PoC endpoints, but to ensure that the PoC is not affected we would essentially have to 'double up' on each of the identified system types partaking in the PoC.
I dont think I will get (and I certainly cant find) and formal comment on this from McAfee, but just wondering what anybodys thoughts were? I am going to fire this question directly to McAfee also in the meantime.
Even though HIPS may be disabled, there are components that will remain installed that could cause conflicts with other related products, so it would be suggested to uninstall McAfee HIPS & reboot, before installing other products, in order to prevent conflicts/compatibility issues from occurring.
KB70930 - Host Intrusion Prevention compatibility with Microsoft Threat Management Gateway Server
Its as much as I thought. Not using the FW component, just the IPS, but I would reckon the risk of conflicts will be fairly high - even if there is no immediately noticeable issue, the product may be impacted and not doing its full job.