cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Rogue System and HIPS

Is there a way of stopping HIPS on a PC / Server objecting to the actions of the Rogue System detection service that is running on a PC / Server?. I would have thought that if this product EPO 4 SP4 RSD 2.0, HIPS 7.01 are designed to work together then the Rogue Sensor should not be checking on PC's / Servers that are already protected or the HIPS should know that the attack is from the RSD Server and ignore it.

5cotty
6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

RE: Rogue System and HIPS

got exact the same Problem and no solution about it ...

when i bring out an Sensor an intrusion warning window on alle notebooks pops up .....

Ive added the Policiy for RSD under Rules but its senseless...
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Rogue System and HIPS

Has anyone gotten this working properly?

I have been using RSD for a long time now and am trying to deploy HIPS on all the workstations.  The RSD sensor is caught as a intrusion detection unless I manually add the IP to the trusted networks list. Doing that is a real pain.  I have just over 20 RSD sensors on my networks and every time one of them gets a new IP address via DHCP I start getting calls about Intrusion detection warnings. So I have to run a query for RSD sensors  and check it against the current exceptions.  This process is very time consuming and inefficient.

jstanley
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Rogue System and HIPS

If I understand the question correctly the problem is that when the RSD sensor does a port scan on a client HIPS is triggering a NIPS port scan attack signature (SignatureID 3700 or 3701). If that is true then the solution is to add the IP address of all of your RSD Sensors to the HIPS Trusted Networks policy. You have to add the IP address for each sensor individually because in my experience it doesn't seem to work when you add a range (only this particular thing does not seem to work).

This is the only solution really because you cannot add exclusions for NIPS signatures. You could turn off the port scan NIPS signatures completely I suppose but that would be less secure. 

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Rogue System and HIPS

I think you understood my question correctly. I am already adding the RSD sensors to the HIPS Trusted Networks policy. However, the process of adding them to the policy every time the RSD sensor gets a new DHCP address is a pain.

I would like to automate the process somehow. I have a query setup that finds all of the RSD sensors IP address and I would like to create a server task that adds the RSD sensors to the HIPS Trusted Networks policy automagically.

I don't know if this is even possible, but I cant be the only one having this issue.

I would hate to be one of the admins on here with > 1000 nodes. I don't think it would even be possible to manage that many.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Rogue System and HIPS

Entonces no hay solucion??

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7

Re: Rogue System and HIPS

I just ran into this issue and had to turn off 'Device details detections' totally.  That stopped all the detections by HIPS of the RSD agent trying to finger print the OS.  I still detect Rogue systems...just not finger printing which was just a best guess anyway (seems like the same methods used in NMAP).

Sadly Mcafee didn't think to share with HIPs via ePO what systems in a  subnet are RSD agents and not blindly react to RSD actions as threats.

You can add an RSD sensor to your DHCP server and then add the DHCP Server to your 'trusted network'.  Depending on your environment you will have to identify the impacts of the RSD agent reaching out from one Server to all your distributed node ie WAN traffic etc. This will also not be as affective as a sensor per subnet listening to local traffic for Rogue Systems because some activity might be filtered out at the various network switches etc.

I have over 400 subnets spread across a large geographic area (thousands of km apart).  I wanted a primary and backup RSD agent per subnet and adding 800+ systems to the 'trusted network' was not feasible.  Since I am also using workstations as my sensors there was the issue of disappearing RSD agent systems (turned off, reimaged etc).

If you have Agent Handlers behind a firewall RSD won't work on those systems.  The RSD sensors still tries to connect to the ePO DB and the ePO Server directly and doesn't even try the Agent Handler.  This is confirmed in ePO 4.5 all patch levels I have tried.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community