Who Me Too'd this topic

cancel
Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

unstable application matching on the HIPS Firewall

Anyone else recently started noticing some unstable behaviour on HIPS firewall? (since HIPS Patch 10 or McAfee Exploit Prevention Content 8274)

What we notice is that application matching is sometimes failing even while the application is still listening on the inbound port. We have seem this in the past with slow server responses (TCP timeout) where the connection was already removed from the state table, or the application had already stopped listening to the port. However these are "works as designed".

In these cases (we have multiple) the application is still running and listening on inbound connections however HIPS is seeing the process as the system idle process.

 

...
04/12/2018 09:12:06.859 FireCore.cpp[5757] VERBOSE  (7652) getProcessInfo() - Will not attempt to get process info for system idle process.
...
04/12/2018 09:12:06.859 FireCore.cpp[6169] VERBOSE  (7652) handleNotificationEventLog() - traffic event received:
 Mode = traffic
 Process id = 0
 Event type = FW_LOG_EVENT_TYPE_TRAFFIC
 Direction = FW_DIRECTION_INBOUND
 Action = FW_ACTION_BLOCK_PACKET
 Source port = xx
 Dest port = xx
 Ip protocol = 17
 Ethernet type = 0x800
 Process path =
 Local ip addr = xx.xx.xx.xx
 Remote ip addr = xx.xx.xx.xx

Who Me Too'd this topic