cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

WSUS patches cause servers to lose network connectivity

We've been seeing this issue since HIPS 8 was deployed to servers and the issue continues with HIPS 8 patch 1.   Have to start the server with OOB management in safe mode, disable HIPS and then reboot to get network back.

Have opened numerous cases, but there are no log entries generated with by HIPS even in debug mode.  I have found that disabling the Buffer Overflow engine for the patch window mitigates this issue somewhat.  However, some server still exhibit the problem even when BO is disabled.

I have excluded the update.exe from scanned processes in VSE, and wuauclt.exe and update.exe in the excluded process HIPS policy...to no avail.  But these exclusions aren't really indicated by the lack of threat events anyway.

Anyone else seeing issues with WSUS/other patch management for MS tools and HIPS 8/RP1?  I know of one person who is a senior security person who is disabling HIPS 8 buffer overflow for this type of issue as standard practice until it is resolved.  But I'm trying to narrow the issue further.

One other detail is that the machines that fail even with BO disabled seem to be getting .net patches that are failing to install and become corrupted.  I have a procedure doc to correct this if anyone is interested.  But the patches keep coming for .net...any help appreciated.

5 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: WSUS patches cause servers to lose network connectivity

Just to note.  These may or may not resolve the issue, but seem related from your information.

KB71456 - Windows 7 SP1 installation fails when McAfee Host Intrusion Prevention 8.0 "Startup IPS Protection" option is enabled
KB54778 - How to apply Microsoft Windows Operating System patches when Host Intrusion Prevention 8.0 / 7.0 client is enabled in protect mode

1. Disable the Startup IPS Protection option (if you have it enabled) before applying patches and rebooting.

2. Check for any signature violations related to the Buffer Overflow engine.

Highlighted

Re: WSUS patches cause servers to lose network connectivity

Good points, Kary - we don't have startup IPS protection enabled at this time.  Also, I checked the KB, but our issue is that we see no events/threats detected in the HIPS log at all.

Highlighted

Re: WSUS patches cause servers to lose network connectivity

On the advise of a senior security engineer and McAfee traininer, i disabled the Buffer Overflow engine (in the advanced UI settings) in the internal server environment.  We still have protection with VirusScan BO.  It seems to have quelled this issue.  Seems like the problem is in that engine.

Highlighted

Re: WSUS patches cause servers to lose network connectivity

ron,

Have you seen this issue resolved? I am planning a HIPS 8 migration soon and this is something I would like to address in the build phase, prior to full production deployment.

Thank you in advance!

Highlighted

Re: WSUS patches cause servers to lose network connectivity

I haven't seen a resolution so far, but I'm hopeful that patch 2 will offer some fixes.  I'd test with that patch due out later this month I believe.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community