We've been seeing this issue since HIPS 8 was deployed to servers and the issue continues with HIPS 8 patch 1. Have to start the server with OOB management in safe mode, disable HIPS and then reboot to get network back.
Have opened numerous cases, but there are no log entries generated with by HIPS even in debug mode. I have found that disabling the Buffer Overflow engine for the patch window mitigates this issue somewhat. However, some server still exhibit the problem even when BO is disabled.
I have excluded the update.exe from scanned processes in VSE, and wuauclt.exe and update.exe in the excluded process HIPS policy...to no avail. But these exclusions aren't really indicated by the lack of threat events anyway.
Anyone else seeing issues with WSUS/other patch management for MS tools and HIPS 8/RP1? I know of one person who is a senior security person who is disabling HIPS 8 buffer overflow for this type of issue as standard practice until it is resolved. But I'm trying to narrow the issue further.
One other detail is that the machines that fail even with BO disabled seem to be getting .net patches that are failing to install and become corrupted. I have a procedure doc to correct this if anyone is interested. But the patches keep coming for .net...any help appreciated.
Just to note. These may or may not resolve the issue, but seem related from your information.
KB71456 - Windows 7 SP1 installation fails when McAfee Host Intrusion Prevention 8.0 "Startup IPS Protection" option is enabled
KB54778 - How to apply Microsoft Windows Operating System patches when Host Intrusion Prevention 8.0 / 7.0 client is enabled in protect mode
1. Disable the Startup IPS Protection option (if you have it enabled) before applying patches and rebooting.
2. Check for any signature violations related to the Buffer Overflow engine.
Good points, Kary - we don't have startup IPS protection enabled at this time. Also, I checked the KB, but our issue is that we see no events/threats detected in the HIPS log at all.
On the advise of a senior security engineer and McAfee traininer, i disabled the Buffer Overflow engine (in the advanced UI settings) in the internal server environment. We still have protection with VirusScan BO. It seems to have quelled this issue. Seems like the problem is in that engine.
Have you seen this issue resolved? I am planning a HIPS 8 migration soon and this is something I would like to address in the build phase, prior to full production deployment.
Thank you in advance!