Who Me Too'd this topic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Exceptions to HIPS signatures sometimes don't seem to be applying

I've found that fairly often HIPS will block some processes from running even though there is an exception created to allow a certain activity to happen. And sometimes, even an exception that was working correctly will suddenly start blocking a process that was supposed to be allowed. In another case, I had a set of Exchange Clusters that keep getting blocked by a signature that had an exception created for it so I had HIPS automatically create an exception, and it still kept blocking the process

Can anyone tell me why?

Anticipating in advance some of the standard questions, I *am* checking the IPS rules policies applied to the specific OU this system resides in.  The systems are successfully checking in to the ePO server and apparently getting policy updates.

The exception rule is fairly broad; "all users" are allowed to run a specific authorized process, no advanced details are specified. In most cases the rule was created automatically by HIPS ('Create exception'), and edited to make it relevant to a broader set of users/hostnames.

Just speculating out loud, a couple of things come to mind that I wondered if it was relevant or not.

For one, I stuck with the default "Exception name" field when creating exceptions. If multiple exceptions were created based on the same signature, would having duplicate exception names maybe cause HIPS to scan just the first exception and skip the second exception? (I noticed in many cases, when the exceptions wouldn't successfully apply there were multiple but separate exceptions to that particular HIPS signature).

Another thing I wondered about, even though a machine appears to be successfully communicating with the ePO server, how can you tell for sure that it's actually receiving and applying any policy changes?

PG

Who Me Too'd this topic

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community