Just wondering has anyone looked into deploying SP3 with HIPS enabled host?
I just ran the <windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe> version of SP3 on an SP2 XP system, and there was a number of alerts appeared, one specifially down to an update to the windows 'screen saver logon.scr'. HIPS popped up an alert with a warning. Other actions blocked were related to the access protection rules of Vscan 8.5i, where changes were being made to the registy.
My concern would be if we were to release SP3 (when it gets official release via WSUS) will I be facing a large number of systems with alerts apearing.
I am using Landesk for software deployment and patch management. We recently upgraded to McAfee 8.5 and EPO 4.0. After the update I started getting deployment failures and users calling about a pop-up message referring to access to the registry. I found going to the users machine and manually running the install package created the same error. To finally get the software to install I had to temporairly disable McAfee Access Protection then run the install package (manually). Problem with this method is, EPO will reset the Access Protection back to Enabled as soon as it reports back to the EPO server (every 15 minutes). You don't know if you have 15 minutes or 1 minute to install your software because you don't know when the EPO agent last checked in. Against my recommendations the Security Audit Manger had the EPO administrator set the McAfee 8.5 to Maximum Protection. The McAfee logs on the machines clearly show McAfee blocking the software install package executable. We can add exclusions to help but they would have to enter approx. 125 names to cover all of our install packages. Hoping it would not see something else to stop as the package installs...i.e. registry changes.
They are also trying to blame it on HIPS we have running. I don't know if HIPS is the problem...I think it is setting McAfee to MAX protection. If you or anyone out there have run across any fixes, suggestions or helpful utilities to disable McAfee long enough to patch the machine or install software I would appreciate hearing about it.
Also, the powers here have decided to try the LandDesk HIPS rather than McAfee thinking it would allow its (Landesk) packages to go through and not block. I hope they are correct but I still think it is McAfee Access Protection being set to high.