Anyone else recently started noticing some unstable behaviour on HIPS firewall? (since HIPS Patch 10 or McAfee Exploit Prevention Content 8274)
What we notice is that application matching is sometimes failing even while the application is still listening on the inbound port. We have seem this in the past with slow server responses (TCP timeout) where the connection was already removed from the state table, or the application had already stopped listening to the port. However these are "works as designed".
In these cases (we have multiple) the application is still running and listening on inbound connections however HIPS is seeing the process as the system idle process.
04/12/2018 09:12:06.859 FireCore.cpp VERBOSE (7652) getProcessInfo() - Will not attempt to get process info for system idle process.
04/12/2018 09:12:06.859 FireCore.cpp VERBOSE (7652) handleNotificationEventLog() - traffic event received:
Mode = traffic
Process id = 0
Event type = FW_LOG_EVENT_TYPE_TRAFFIC
Direction = FW_DIRECTION_INBOUND
Action = FW_ACTION_BLOCK_PACKET
Source port = xx
Dest port = xx
Ip protocol = 17
Ethernet type = 0x800
Process path =
Local ip addr = xx.xx.xx.xx
Remote ip addr = xx.xx.xx.xx