I've found that fairly often HIPS will block some processes from running even though there is an exception created to allow a certain activity to happen. And sometimes, even an exception that was working correctly will suddenly start blocking a process that was supposed to be allowed. In another case, I had a set of Exchange Clusters that keep getting blocked by a signature that had an exception created for it so I had HIPS automatically create an exception, and it still kept blocking the process
Can anyone tell me why?
Anticipating in advance some of the standard questions, I *am* checking the IPS rules policies applied to the specific OU this system resides in. The systems are successfully checking in to the ePO server and apparently getting policy updates.
The exception rule is fairly broad; "all users" are allowed to run a specific authorized process, no advanced details are specified. In most cases the rule was created automatically by HIPS ('Create exception'), and edited to make it relevant to a broader set of users/hostnames.
Just speculating out loud, a couple of things come to mind that I wondered if it was relevant or not.
For one, I stuck with the default "Exception name" field when creating exceptions. If multiple exceptions were created based on the same signature, would having duplicate exception names maybe cause HIPS to scan just the first exception and skip the second exception? (I noticed in many cases, when the exceptions wouldn't successfully apply there were multiple but separate exceptions to that particular HIPS signature).
Another thing I wondered about, even though a machine appears to be successfully communicating with the ePO server, how can you tell for sure that it's actually receiving and applying any policy changes?
Solved! Go to Solution.