Other than uninstalling and re-installing HIPS (which works, but isn't convenient to do), does anyone know of a way to repair systems where ePO is reporting that HIPS has:
- Firewall Status unknown or disabled. I have confirmed that the system is getting the policy to enable the firewall.
- Product Status unknown or disabled. I have confirmed that the system is getting the policy to enable IPS.
- Service Running unknown or disabled. I have confirmed on the PC that the McAfee Host Intrusion Prevention Service is indeed running.
Check the ePO Node properties and verify if the HIPS values above are correct. If they are, try manually running the HIPS Property Translator server task (leave it Disabled). This can correct what HIPS values you see when running ePO Queries.
Also upgrade to HIPS 8.0.6 extension, due to several bug fixes in the HIPS Extension and Property Translator task.
PD25972 - Host Intrusion Prevention 8.0 Patch 6 Software for Windows Release Notes
Thanks I'll give that a try. I always wondered, what does the property translator task do? Is there a reason why we need to keep it disabled?
KB73399 - FAQs for Host Intrusion Prevention 8.0
The Host IPS ePO Property Translator server task runs every 15 minutes by default to convert system client properties into adaptive client rules that are displayed in the client rules tabs of the Host IPS 8.0 or 7.0 Event Reporting display.
The server task is there to run the task manually, if needed (hence why it should remain disabled). It already runs automatically inside the ePO services.
We have a customer who is also seeing some strange behavior with HIPS Service Status showing as "Service Not Running" in ePO when in fact the systems all show that the service is enabled.
The number of systems showing as "Service Not Running" will bounce around throughout the day.
Agent Wakeup calls don't seem to change anything and running the the Property Translator doesn't do anything either.
I'd really like to find out two things:
An addendum to my original post. After we upgraded to ePO 5.1.3, which required a HIPS extension upgrade to 220.127.116.118 our numbers went way up. However, like you, I do see 6 systems that say service disabled yet HIPS and firewall are enabled. Of those 6 only one was online at the moment, and when I physically checked the service it was running but I see that the McAfee Framework service had stopped. I restarted it the collected properties, and it's still reporting disabled.