6 Replies Latest reply on Jan 27, 2011 3:22 PM by CarlB

    Rogue System and HIPS

      Is there a way of stopping HIPS on a PC / Server objecting to the actions of the Rogue System detection service that is running on a PC / Server?. I would have thought that if this product EPO 4 SP4 RSD 2.0, HIPS 7.01 are designed to work together then the Rogue Sensor should not be checking on PC's / Servers that are already protected or the HIPS should know that the attack is from the RSD Server and ignore it.

      5cotty
        • 1. RE: Rogue System and HIPS
          got exact the same Problem and no solution about it ...

          when i bring out an Sensor an intrusion warning window on alle notebooks pops up .....

          Ive added the Policiy for RSD under Rules but its senseless...
          • 2. Re: Rogue System and HIPS

            Has anyone gotten this working properly?

            I have been using RSD for a long time now and am trying to deploy HIPS on all the workstations.  The RSD sensor is caught as a intrusion detection unless I manually add the IP to the trusted networks list. Doing that is a real pain.  I have just over 20 RSD sensors on my networks and every time one of them gets a new IP address via DHCP I start getting calls about Intrusion detection warnings. So I have to run a query for RSD sensors  and check it against the current exceptions.  This process is very time consuming and inefficient.

            • 3. Re: Rogue System and HIPS
              jstanley

              If I understand the question correctly the problem is that when the RSD sensor does a port scan on a client HIPS is triggering a NIPS port scan attack signature (SignatureID 3700 or 3701). If that is true then the solution is to add the IP address of all of your RSD Sensors to the HIPS Trusted Networks policy. You have to add the IP address for each sensor individually because in my experience it doesn't seem to work when you add a range (only this particular thing does not seem to work).

               

              This is the only solution really because you cannot add exclusions for NIPS signatures. You could turn off the port scan NIPS signatures completely I suppose but that would be less secure. 

              • 4. Re: Rogue System and HIPS

                 

                 

                I think you understood my question correctly. I am already adding the RSD sensors to the HIPS Trusted Networks policy. However, the process of adding them to the policy every time the RSD sensor gets a new DHCP address is a pain.

                I would like to automate the process somehow. I have a query setup that finds all of the RSD sensors IP address and I would like to create a server task that adds the RSD sensors to the HIPS Trusted Networks policy automagically.

                I don't know if this is even possible, but I cant be the only one having this issue.

                I would hate to be one of the admins on here with > 1000 nodes. I don't think it would even be possible to manage that many.

                • 5. Re: Rogue System and HIPS
                  olimbizkit

                  Entonces no hay solucion??

                  • 6. Re: Rogue System and HIPS

                    I just ran into this issue and had to turn off 'Device details detections' totally.  That stopped all the detections by HIPS of the RSD agent trying to finger print the OS.  I still detect Rogue systems...just not finger printing which was just a best guess anyway (seems like the same methods used in NMAP).

                     

                    Sadly Mcafee didn't think to share with HIPs via ePO what systems in a  subnet are RSD agents and not blindly react to RSD actions as threats.

                     

                    You can add an RSD sensor to your DHCP server and then add the DHCP Server to your 'trusted network'.  Depending on your environment you will have to identify the impacts of the RSD agent reaching out from one Server to all your distributed node ie WAN traffic etc. This will also not be as affective as a sensor per subnet listening to local traffic for Rogue Systems because some activity might be filtered out at the various network switches etc.

                     

                    I have over 400 subnets spread across a large geographic area (thousands of km apart).  I wanted a primary and backup RSD agent per subnet and adding 800+ systems to the 'trusted network' was not feasible.  Since I am also using workstations as my sensors there was the issue of disappearing RSD agent systems (turned off, reimaged etc).

                     

                    If you have Agent Handlers behind a firewall RSD won't work on those systems.  The RSD sensors still tries to connect to the ePO DB and the ePO Server directly and doesn't even try the Agent Handler.  This is confirmed in ePO 4.5 all patch levels I have tried.